CVE-2019-25012
📋 TL;DR
This vulnerability in Drupal's Webform Report module allows unauthenticated remote attackers to view all form submissions by accessing the /rss.xml page. It affects Drupal 7 sites using the Webform Report 7.x-1.x-dev module. Note that this module is not covered by Drupal's official security advisory policy.
💻 Affected Systems
- Drupal Webform Report module
📦 What is this software?
Webform Report by Webform Report Project
⚠️ Risk & Real-World Impact
Worst Case
All webform submissions containing sensitive data (PII, credentials, confidential information) are exposed to any internet user, leading to data breaches and privacy violations.
Likely Case
Unauthenticated users can view all form submissions, potentially exposing personal information, contact details, or other sensitive data submitted through webforms.
If Mitigated
With proper access controls and module updates, only authorized users can access form submissions.
🎯 Exploit Status
Exploitation requires only visiting /rss.xml on the affected Drupal site. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check project page for updates
Vendor Advisory: https://www.drupal.org/project/webform_report/issues/3101410
Restart Required: No
Instructions:
1. Check the Webform Report project page for updated versions. 2. Update to a patched version if available. 3. If no patch is available, disable or remove the module.
🔧 Temporary Workarounds
Block RSS access
allBlock access to /rss.xml via web server configuration or Drupal access controls
# Apache: Add to .htaccess
RewriteRule ^rss\.xml$ - [F,L]
# Nginx: Add to site config
location = /rss.xml { deny all; }
Disable module
linuxDisable the Webform Report module completely
drush dis webform_report
# Or disable via Drupal admin interface at /admin/modules
🧯 If You Can't Patch
- Disable the Webform Report module immediately
- Implement web server rules to block all access to /rss.xml
🔍 How to Verify
Check if Vulnerable:
Visit https://your-site.com/rss.xml and check if webform submissions are visible without authenticationCheck Version:
drush pmi webform_report | grep VersionVerify Fix Applied:
After applying fixes, verify /rss.xml returns 403/404 error or requires authentication📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /rss.xml from unauthenticated users
- Access logs showing successful 200 responses to /rss.xml
Network Indicators:
- Unusual traffic patterns to /rss.xml endpoint
- External IPs accessing /rss.xml without prior authentication
SIEM Query:
source="web_logs" AND uri_path="/rss.xml" AND response_code=200 AND user_agent NOT CONTAINS "bot"