Project
Date
Severity
Critical
Vulnerability
Cross Site Scripting
Affected versions
<7.x-1.7
Description
This is a port of a patched vulnerability by D7Security group in Webform Multiple File Upload - Critical - Cross Site Scripting - D7SECURITY-SA-CONTRIB-2025-001
The Webform Multiple File Upload module allows users to upload multiple files on a Webform.
The module doesn't sufficiently escape filenames when displaying them, thereby exposing an XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have access to a Webform that allows multiple file uploads.
Solution
If you use the webform_multifile module, update to Webform Multiple File Upload 7.x-1.7.
Reported by
- Michael Hess
Fixed by
- Greg Knaddison
- Rotem Reiss
- Tatiana Kiseleva
- Dmitry Kiselev
- MustangGB
- Moisés Rodríguez Carmona
- Tom Keitel
Coordinated by
- MustangGB
- Tag1 D7ES