DRUPAL-CONTRIB-2021-004

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/webform/DRUPAL-CONTRIB-2021-004.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-004
Published
2021-03-03T16:49:33Z
Modified
2025-12-10T23:33:21.235133Z
Summary
[none]
Details

The Webform module for Drupal 8/9 includes a default Contact webform, which sends a notification email to the site owner and a confirmation email to the email address supplied via the form.

The confirmation email can be used as an open mail relay to send an email to any email address.

This vulnerability is mitigated by the fact that the site owner's email address is also receiving a notification email, which should alert the site owner to the exploitation. If the site owner's mailbox is not monitored, the open mail relay can be more easily exploited.

With the Webform module's latest release, the default Contact's confirmation email will only be sent to an authenticated user's email address. Anonymous users will no longer receive a confirmation email.

If anonymous users need to receive a confirmation email, we recommend you add SPAM protection to the form and update the email handler.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/webform

Package

Name
drupal/webform
Purl
pkg:composer/drupal/webform

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.25.0
Database specific
{
    "constraint": "<5.25.0"
}
Type
ECOSYSTEM
Events
Introduced
6.0.0
Last affected
6.0.0
Database specific
{
    "constraint": "6.0.0"
}
Type
ECOSYSTEM
Events
Introduced
6.0.1
Last affected
6.0.1
Database specific
{
    "constraint": "6.0.1"
}

Database specific

affected_versions
"<5.25.0 || 6.0.0 || 6.0.1"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/webform/DRUPAL-CONTRIB-2021-004.json"