Drupal Webform Module HTML Injection and Information Disclosure Vulnerabilities

The Webform module for Drupal is prone to an HTML-injection and an information-disclosure vulnerability.

An attacker may leverage these issues to obtain potentially sensitive session information, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.

Versions prior to Webform 6.x-2.8 and 5.x-2.8 are vulnerable.


 

Privacy Statement
Copyright 2010, SecurityFocus