DRUPAL-CONTRIB-2021-045

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/webform/DRUPAL-CONTRIB-2021-045.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-045
Published
2021-12-08T18:02:44Z
Modified
2025-12-10T23:33:24.149950Z
Summary
[none]
Details

Access Bypass:

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently check access for administrative features for webforms attached to nodes using the Webform Node module. This may reveal submitted data or allow an attacker to modify submitted data. Additionally, for sites with webforms that send emails and store submissions this vulnerability would allow an attacker to use the site as an email relay (i.e. sending arbitrary emails).

There is no mitigation for this vulnerability. If you have the Webform Node module enabled you must update the Webform module.

Cross Site Scripting:

The Webform module enables site builders to create forms and surveys.

The Webform module doesn't sufficiently filter HTML when an element's 'Help title' and an 'Image Select' element's image text contain specially crafted malicious text.

This vulnerability is mitigated by the fact that an attacker must be able to create or edit webforms.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/webform

Package

Name
drupal/webform
Purl
pkg:composer/drupal/webform

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.6
Database specific 
{
    "constraint": ">=6.0.0 <6.0.6"
}
Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.2
Database specific 
{
    "constraint": ">=6.1.0 <6.1.2"
}

Database specific

affected_versions 
">=6.0.0 <6.0.6 || >=6.1.0 <6.1.2"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/webform/DRUPAL-CONTRIB-2021-045.json"