Webform Multiple file upload - Moderately Critical - Access bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2017-045
* Project: Webform Multiple File Upload (third-party module)
* Version: 7.x
* Date: 2017-May-10
* Security risk: 10/25 ( Moderately Critical)
* Vulnerability: Access bypass


This module enables you to upload multiple files at once in a webform.
The module doesn't sufficiently check access to file deletion urls.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to edit all or their own webform submissions.


* webform_multifile 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Webform
Multiple File Upload [4] module, there is nothing you need to do.


Install the latest version:

* If you use the Webform Multiple File Upload module for Drupal 7.x,
to Webform Multiple File Upload 7.x-1.6

Also see the Webform Multiple File Upload project page: https://www.drupal.org/project/webform_multifile

Add new comment