CVE-2014-9022

medium

Published 2014-11-20 · Modified 2026-05-06

CVSS v3

—

CVSS v2

6.4

VIR risk

6.4

Description

The Webform Component Roles module 6.x-1.x before 6.x-1.8 and 7.x-1.x before 7.x-1.8 for Drupal allows remote attackers to bypass the "disabled" restriction and modify read-only components via a crafted form.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.drupal.org/node/2373973

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.drupal.org/node/2373473

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.drupal.org/node/2373471

Application impact

Vendor	Product	Versions
web_component_roles_project	web_component_roles	`6.x-1.5`
web_component_roles_project	web_component_roles	`6.x-1.6`
web_component_roles_project	web_component_roles	`7.x-1.0`
web_component_roles_project	web_component_roles	`7.x-1.1`
web_component_roles_project	web_component_roles	`7.x-1.2`
web_component_roles_project	web_component_roles	`7.x-1.3`
web_component_roles_project	web_component_roles	`7.x-1.4`
web_component_roles_project	web_component_roles	`7.x-1.5`
web_component_roles_project	web_component_roles	`7.x-1.6`
web_component_roles_project	web_component_roles	`7.x-1.7`

References

CWEs

CWE-264

Verify integrity in audit chain (admin only). AS-IS.