CVE-2012-1660 : Multiple cross-site scripting (XSS) vulnerabilities in components/select.inc in the Webform module 6.x-3.x before 6.x-3.

Multiple cross-site scripting (XSS) vulnerabilities in components/select.inc in the Webform module 6.x-3.x before 6.x-3.17 and 7.x-3.x before 7.x-3.17 for Drupal, when the "Select (or other)" module is enabled, allow remote authenticated users with the create webform content permission to inject arbitrary web script or HTML via vectors related to (1) checkboxes or (2) radios.

Published 2012-09-18 20:55:02

Updated 2017-08-29 01:31:21

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Exploit prediction scoring system (EPSS) score for CVE-2012-1660

Probability of exploitation activity in the next 30 days: 0.12%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 45 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2012-1660

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:N/AC:H/Au:S/C:N/I:P/A:N	3.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2012-1660

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-1660

http://drupal.org/node/1472214

SA-CONTRIB-2012-035 - Webform Cross Site Scripting (XSS) | Drupal.org
Patch;Vendor Advisory
http://drupalcode.org/project/webform.git/commit/90af819

Access to this page has been denied.
http://drupalcode.org/project/webform.git/commit/917fa91

Access to this page has been denied.
https://exchange.xforce.ibmcloud.com/vulnerabilities/73779

Webform module for Drupal unspecified cross-site scripting CVE-2012-1660 Vulnerability Report
http://www.openwall.com/lists/oss-security/2012/04/07/1

oss-security - CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)

CVEs referencing this url
http://www.securityfocus.com/bid/52345

Drupal Webform Module Radio Buttons Checkboxes HTML Injection Vulnerability
Patch
http://drupal.org/node/1472178

Access to this page has been denied.
Patch
http://drupal.org/node/1472180

Patch

Products affected by CVE-2012-1660

Nathan Haug » Webform » Version: 6.x-3.0 Update Beta4
cpe:2.3:a:nathan_haug:webform:6.x-3.0:beta4:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.0 Update Beta5
cpe:2.3:a:nathan_haug:webform:6.x-3.0:beta5:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.4
cpe:2.3:a:nathan_haug:webform:6.x-3.4:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.5
cpe:2.3:a:nathan_haug:webform:6.x-3.5:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.6
cpe:2.3:a:nathan_haug:webform:6.x-3.6:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.13
cpe:2.3:a:nathan_haug:webform:6.x-3.13:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.14
cpe:2.3:a:nathan_haug:webform:6.x-3.14:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.11
cpe:2.3:a:nathan_haug:webform:7.x-3.11:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.10
cpe:2.3:a:nathan_haug:webform:7.x-3.10:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.0 Update Beta7
cpe:2.3:a:nathan_haug:webform:7.x-3.0:beta7:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.0 Update Beta6
cpe:2.3:a:nathan_haug:webform:7.x-3.0:beta6:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.0 Update Beta1
cpe:2.3:a:nathan_haug:webform:6.x-3.0:beta1:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.0
cpe:2.3:a:nathan_haug:webform:6.x-3.0:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.1
cpe:2.3:a:nathan_haug:webform:6.x-3.1:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.9
cpe:2.3:a:nathan_haug:webform:6.x-3.9:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.10
cpe:2.3:a:nathan_haug:webform:6.x-3.10:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.16
cpe:2.3:a:nathan_haug:webform:7.x-3.16:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.15
cpe:2.3:a:nathan_haug:webform:7.x-3.15:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.7
cpe:2.3:a:nathan_haug:webform:7.x-3.7:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.6
cpe:2.3:a:nathan_haug:webform:7.x-3.6:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.0 Update Beta3
cpe:2.3:a:nathan_haug:webform:7.x-3.0:beta3:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.0 Update Beta2
cpe:2.3:a:nathan_haug:webform:7.x-3.0:beta2:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.0 Update Beta6
cpe:2.3:a:nathan_haug:webform:6.x-3.0:beta6:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.x Update DEV
cpe:2.3:a:nathan_haug:webform:6.x-3.x:dev:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.7
cpe:2.3:a:nathan_haug:webform:6.x-3.7:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.8
cpe:2.3:a:nathan_haug:webform:6.x-3.8:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.15
cpe:2.3:a:nathan_haug:webform:6.x-3.15:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.16
cpe:2.3:a:nathan_haug:webform:6.x-3.16:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.9
cpe:2.3:a:nathan_haug:webform:7.x-3.9:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.8
cpe:2.3:a:nathan_haug:webform:7.x-3.8:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.0 Update Beta5
cpe:2.3:a:nathan_haug:webform:7.x-3.0:beta5:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.0 Update Beta4
cpe:2.3:a:nathan_haug:webform:7.x-3.0:beta4:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.0 Update Beta2
cpe:2.3:a:nathan_haug:webform:6.x-3.0:beta2:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.0 Update Beta3
cpe:2.3:a:nathan_haug:webform:6.x-3.0:beta3:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.2
cpe:2.3:a:nathan_haug:webform:6.x-3.2:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.3
cpe:2.3:a:nathan_haug:webform:6.x-3.3:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.11
cpe:2.3:a:nathan_haug:webform:6.x-3.11:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 6.x-3.12
cpe:2.3:a:nathan_haug:webform:6.x-3.12:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.13
cpe:2.3:a:nathan_haug:webform:7.x-3.13:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.12
cpe:2.3:a:nathan_haug:webform:7.x-3.12:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.4 Update Beta1
cpe:2.3:a:nathan_haug:webform:7.x-3.4:beta1:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.3 Update Beta1
cpe:2.3:a:nathan_haug:webform:7.x-3.3:beta1:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.0 Update Beta8
cpe:2.3:a:nathan_haug:webform:7.x-3.0:beta8:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Nathan Haug » Webform » Version: 7.x-3.x Update DEV
cpe:2.3:a:nathan_haug:webform:7.x-3.x:dev:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A

Vulnerability Details : CVE-2012-1660

Exploit prediction scoring system (EPSS) score for CVE-2012-1660

CVSS scores for CVE-2012-1660

CWE ids for CVE-2012-1660

References for CVE-2012-1660

Products affected by CVE-2012-1660