CVE-2025-12848
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in the Webform Multiple File Upload module for Drupal 7.x. Unauthenticated attackers can upload files with malicious filenames containing JavaScript, which executes in victims' browsers when viewing affected webforms. Drupal 7 sites using the vulnerable module with file type validation disabled are affected.
💻 Affected Systems
- Webform Multiple File Upload module for Drupal
📦 What is this software?
Webform Multiple File Upload by Webform Multiple File Upload Project
Webform Multiple File Upload by Webform Multiple File Upload Project
Webform Multiple File Upload by Webform Multiple File Upload Project
Webform Multiple File Upload by Webform Multiple File Upload Project
Webform Multiple File Upload by Webform Multiple File Upload Project
Webform Multiple File Upload by Webform Multiple File Upload Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deface websites.
Likely Case
Session hijacking, credential theft, or website defacement through malicious script execution in victims' browsers.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires uploading a file with malicious filename to a vulnerable webform.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched version via GitHub pull request #44
Vendor Advisory: https://www.drupal.org/node/3105204
Restart Required: No
Instructions:
1. Apply patch from https://github.com/fyneworks/multifile/pull/44
2. Clear Drupal cache
3. Verify file upload functionality works correctly
🔧 Temporary Workarounds
Enable file type validation
allEnable file type validation on all Webform nodes with Multifile fields to prevent malicious file uploads.
Navigate to Webform node configuration and enable file type validation for Multifile fields
Disable vulnerable module
linuxTemporarily disable the Webform Multiple File Upload module until patched.
drush pm-disable webform_multifile
Clear Drupal cache
🧯 If You Can't Patch
- Enable file type validation on all Webform Multifile fields
- Implement web application firewall rules to block file uploads with suspicious filenames
🔍 How to Verify
Check if Vulnerable:
Check if Webform Multiple File Upload module is enabled and file type validation is disabled on any Webform nodes.Check Version:
drush pml | grep webform_multifileVerify Fix Applied:
Verify patch is applied by checking module code or attempting to upload file with malicious filename (test in safe environment).📡 Detection & Monitoring
Log Indicators:
- File uploads with suspicious filenames containing script tags or JavaScript
- Multiple failed upload attempts with unusual filenames
Network Indicators:
- HTTP POST requests to file upload endpoints with malicious filenames
SIEM Query:
source="web_server" AND (method="POST" AND uri="*/file/upload*" AND (filename="*<script>*" OR filename="*onerror=*"))