- Webform 1.x versions prior to 1.x-4.21.0
The module doesn't sufficiently protect against an attacker changing the submission identifier of a draft webform, thereby overwriting another user's submission. Confidential information is not disclosed, but information can be overwritten, and therefore lost or forged.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform, and the webform must have the advanced form setting of either Show "Save draft" button and/or Automatically save as draft between pages and when there are validation errors (neither of these two options are enabled by default). Anonymous users cannot submit drafts, and therefore cannot exploit this vulnerability.
Upgrade your site to the most recent version of Webform.