2025/01/16

Project: Webform Multiple File Upload

Security risk: Critical 16/25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability: Cross Site Scripting

Affected versions: <7.x-1.7

Description​

The Webform Multiple File Upload module allows users to upload multiple files on a Webform.

The module doesn't sufficiently escape filenames when displaying them, thereby exposing an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have access to a Webform that allows multiple file uploads.

Solution​

Install the latest version.

If you use the Webform Multiple File Upload module for Drupal 7, upgrade to Webform Multiple File Upload 7.x-1.7.

Reported by​

• Michael Hess

Fixed by​

• Greg Knaddison
• Rotem Reiss
• Tatiana Kiseleva
• Dmitry Kiselev
• MustangGB
• Moisés Rodríguez Carmona
• Tom Keitel

Coordinated by​

• MustangGB

2024/02/28

Project: Coffee

Security risk: Moderately critical 13/25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability: Cross Site Scripting

Affected versions: <7.x-2.4

Description​

The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup.

The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".

See also Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011.

Solution​

Install the latest version.

If you use the Coffee module for Drupal 7, upgrade to Coffee 7.x-2.4.

Reported by​

• Patrick Fey

Fixed by​

• Michael Mol
• Klaus Purer
• Oliver Köhler

Coordinated by​

• Greg Knaddison of the Drupal Security Team