CVE-2012-1660

Nathan Haug Webform - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in components/select.inc in the Webform module 6.x-3.x before 6.x-3.17 and 7.x-3.x before 7.x-3.17 for Drupal, when the "Select (or other)" module is enabled, allow remote authenticated users with the create webform content permission to inject arbitrary web script or HTML via vectors related to (1) checkboxes or (2) radios.

References (10)

[Patch] http://drupal.org/node/1472178

[Patch] http://drupal.org/node/1472180

[Patch, Vendor Advisory] http://drupal.org/node/1472214

[Vendor Advisory] http://secunia.com/advisories/48310

[Third Party Advisory, VDB Entry] http://www.osvdb.org/79852

[Patch] http://www.securityfocus.com/bid/52345

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/73779

[Patch] http://drupalcode.org/project/webform.git/commit/90af819

[Patch] http://drupalcode.org/project/webform.git/commit/917fa91

[Mailing List] http://www.openwall.com/lists/oss-security/2012/04/07/1

Scores

EPSS 0.0046

EPSS Percentile 63.7%

Classification

CWE

CWE-79

Status published

Affected Products (45)

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

nathan_haug/webform

... and 30 more

Timeline

Published Sep 18, 2012

Tracked Since Feb 18, 2026