PT-2025-48120 · Drupal+1 · Drupal Webform Multiple File Upload Module+1
Published
2025-11-26
·
Updated
2025-12-05
·
CVE-2025-12848
CVSS v4.0
7.0
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/S:N/R:U/V:D/RE:L/U:Amber |
Name of the Vulnerable Software and Affected Versions
Drupal Webform Multiple File Upload module versions 7.x (affected versions not specified)
Description
The Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) issue in the file name renderer. An unauthenticated attacker can exploit this by uploading a file with a malicious filename containing JavaScript code to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library. The vulnerable component is the file name renderer.
Recommendations
Apply the patch available at https://github.com/fyneworks/multifile/pull/44.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Drupal Webform Multiple File Upload Module
Multifile