Date: 
Thursday, Dec 12th, 2019
Security risk: 
Critical
Advisory ID: 
BACKDROP-SA-CONTRIB-2019-014
Vulnerability: 
Multiple vulnerabilities
Versions affected: 
  • Webform 1.x versions prior to 1.x-4.21.0
Description: 

The module doesn't sufficiently protect against an attacker changing the submission identifier of a draft webform, thereby overwriting another user's submission. Confidential information is not disclosed, but information can be overwritten, and therefore lost or forged.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform, and the webform must have the advanced form setting of either Show "Save draft" button and/or Automatically save as draft between pages and when there are validation errors (neither of these two options are enabled by default). Anonymous users cannot submit drafts, and therefore cannot exploit this vulnerability.

Solution: 

Upgrade your site to the most recent version of Webform.

Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"