CVE-2012-1660
Description
Multiple cross-site scripting (XSS) vulnerabilities in components/select.inc in the Webform module 6.x-3.x before 6.x-3.17 and 7.x-3.x before 7.x-3.17 for Drupal, when the "Select (or other)" module is enabled, allow remote authenticated users with the create webform content permission to inject arbitrary web script or HTML via vectors related to (1) checkboxes or (2) radios.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — http://www.securityfocus.com/bid/52345
Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/48310
Vendor advisory: secalert@redhat.com — http://drupal.org/node/1472214
Vendor advisory: secalert@redhat.com — http://drupal.org/node/1472180
Vendor advisory: secalert@redhat.com — http://drupal.org/node/1472178
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| nathan_haug | webform | 6.x-3.0 | |
| nathan_haug | webform | 6.x-3.1 | |
| nathan_haug | webform | 6.x-3.2 | |
| nathan_haug | webform | 6.x-3.3 | |
| nathan_haug | webform | 6.x-3.4 | |
| nathan_haug | webform | 6.x-3.5 | |
| nathan_haug | webform | 6.x-3.6 | |
| nathan_haug | webform | 6.x-3.7 | |
| nathan_haug | webform | 6.x-3.8 | |
| nathan_haug | webform | 6.x-3.9 | |
| nathan_haug | webform | 6.x-3.10 | |
| nathan_haug | webform | 6.x-3.11 | |
| nathan_haug | webform | 6.x-3.12 | |
| nathan_haug | webform | 6.x-3.13 | |
| nathan_haug | webform | 6.x-3.14 | |
| nathan_haug | webform | 6.x-3.15 | |
| nathan_haug | webform | 6.x-3.16 | |
| nathan_haug | webform | 6.x-3.x | |
| nathan_haug | webform | 7.x-3.0 | |
| nathan_haug | webform | 7.x-3.3 | |
| nathan_haug | webform | 7.x-3.4 | |
| nathan_haug | webform | 7.x-3.6 | |
| nathan_haug | webform | 7.x-3.7 | |
| nathan_haug | webform | 7.x-3.8 | |
| nathan_haug | webform | 7.x-3.9 | |
| nathan_haug | webform | 7.x-3.10 | |
| nathan_haug | webform | 7.x-3.11 | |
| nathan_haug | webform | 7.x-3.12 | |
| nathan_haug | webform | 7.x-3.13 | |
| nathan_haug | webform | 7.x-3.15 | |
| nathan_haug | webform | 7.x-3.16 | |
| nathan_haug | webform | 7.x-3.x | |
| drupal | drupal | - | |
References
- http://drupal.org/node/1472178
- http://drupal.org/node/1472180
- http://drupal.org/node/1472214
- http://drupalcode.org/project/webform.git/commit/90af819
- http://drupalcode.org/project/webform.git/commit/917fa91
- http://secunia.com/advisories/48310
- http://www.openwall.com/lists/oss-security/2012/04/07/1
- http://www.osvdb.org/79852
- http://www.securityfocus.com/bid/52345
- https://exchange.xforce.ibmcloud.com/vulnerabilities/73779
- http://drupal.org/node/1472178
- http://drupal.org/node/1472180
- http://drupal.org/node/1472214
- http://drupalcode.org/project/webform.git/commit/90af819
- http://drupalcode.org/project/webform.git/commit/917fa91
- http://secunia.com/advisories/48310
- http://www.openwall.com/lists/oss-security/2012/04/07/1
- http://www.osvdb.org/79852
- http://www.securityfocus.com/bid/52345
- https://exchange.xforce.ibmcloud.com/vulnerabilities/73779
CWEs
CWE-79
Verify integrity in audit chain (admin only). AS-IS.