2025/01/16
Project: Webform Multiple File Upload
Security risk: Critical 16/25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross Site Scripting
Affected versions: <7.x-1.7
Description
The Webform Multiple File Upload module allows users to upload multiple files on a Webform.
The module doesn't sufficiently escape filenames when displaying them, thereby exposing an XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have access to a Webform that allows multiple file uploads.
Solution
Install the latest version.
If you use the Webform Multiple File Upload module for Drupal 7, upgrade to Webform Multiple File Upload 7.x-1.7.