216.73.216.133

CVE-2025-12848

· Published 26/11/2025 02:15 · Modified 05/12/2025 14:44

Labels: CVE-2025-12848 2025-11-26CVE-2025-12848CWE-79[email protected]

Essential information

Published
26/11/2025 02:15
Modified
05/12/2025 14:44
Author
Creator
CVSS
7.0 HIGH (v3) 7.0 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at  https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
webform multiple file upload project / webform multiple file upload cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.2:*:*:*:*:drupal:*:*
webform multiple file upload project / webform multiple file upload cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.3:*:*:*:*:drupal:*:*
webform multiple file upload project / webform multiple file upload cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.4:*:*:*:*:drupal:*:*
webform multiple file upload project / webform multiple file upload cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.5:*:*:*:*:drupal:*:*
webform multiple file upload project / webform multiple file upload cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.6:*:*:*:*:drupal:*:*
webform multiple file upload project / webform multiple file upload cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.x:dev:*:*:*:drupal:*:*

References