Multiple cross-site scripting (XSS) vulnerabilities in components/select.inc in the Webform module 6.x-3.x before 6.x-3.17 and 7.x-3.x before 7.x-3.17 for Drupal, when the "Select (or other)" module is enabled, allow remote authenticated users with the create webform content permission to inject arbitrary web script or HTML via vectors related to (1) checkboxes or (2) radios.
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
| Link | Tags |
|---|---|
| http://drupal.org/node/1472180 | patch |
| http://drupal.org/node/1472178 | patch |
| http://www.securityfocus.com/bid/52345 | vdb entry patch |
| http://secunia.com/advisories/48310 | third party advisory vendor advisory |
| http://www.openwall.com/lists/oss-security/2012/04/07/1 | mailing list |
| http://drupalcode.org/project/webform.git/commit/917fa91 | |
| http://www.osvdb.org/79852 | vdb entry |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/73779 | vdb entry |
| http://drupalcode.org/project/webform.git/commit/90af819 | |
| http://drupal.org/node/1472214 | patch vendor advisory |