Drupal Webform Multiple File Upload Module Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Webform Multiple File Upload module for Drupal 7.x. The issue arises in the file name renderer, where an unauthenticated attacker can exploit it by uploading a file with a malicious name containing JavaScript code, such as an image tag with an error event handler, to a Webform node with a Multifile field that has file type validation disabled. This exploitation allows the execution of arbitrary scripts in the context of the victim's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, enable the Webform and Webform Multiple File Upload modules. Create a Webform node and add a Multifile field, ensuring that file type validation is disabled. Upload a file with a name that includes a JavaScript payload, such as an image tag designed to trigger a script execution, using the vulnerable field.

Remediation

Users are advised to apply the patch available on GitHub or update to a fixed version of the Webform Multiple File Upload module.