Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096
Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096 Project: Webform Versions: 7.x-4.x, 7.x-3.x Date: 2019-December-11 Security risk: Critical 15∕25 Vulnerability: Multiple vulnerabilities
This module enables you to create forms to collect information from users and report, analyze and distribute it by email.
The 7.x-4.x module doesn't sufficiently protect against an attacker changing the submission identifier of a draft webform, thereby overwriting another user's submission. Confidential information is not disclosed, but information can be overwritten and therefore lost or forged.
The 7.x-4.x vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the webform must have the advanced form setting of either 'Show "Save draft" button' and/or "Automatically save as draft between pages and when there are validation errors". Neither of these two options are enabled by default. Anonymous users cannot submit drafts and therefore cannot exploit this vulnerability.
Install the latest version:
If you use the Webform 3.x module for Drupal 7.x, upgrade to Webform 7.x-3.29 or to Webform 7.x-4.21.
If you use the Webform 4.x module for Drupal 7.x, upgrade to Webform 7.x-4.21