Overview
CVE-2025-12848 details a cross-site scripting (XSS) vulnerability affecting the Webform Multiple File Upload module for Drupal 7.x. This vulnerability allows an unauthenticated attacker to inject malicious JavaScript code by uploading a file with a crafted filename. When a victim views the Webform node with the uploaded file, the malicious script is executed in their browser, potentially leading to data theft, session hijacking, or other malicious activities.
Technical Details
The vulnerability exists in the file name renderer of the Webform Multiple File Upload module. Specifically, the module fails to properly sanitize filenames before displaying them. An attacker can exploit this by uploading a file with a malicious filename containing JavaScript code, such as <img src=1 onerror=alert(document.domain)>. If file type validation is disabled for the Multifile field in the Webform configuration, the file upload succeeds. When a user views the Webform node with the uploaded file, the browser interprets the malicious filename, leading to the execution of the embedded JavaScript code.
The root cause of this vulnerability resides within a third-party library used by the module. A patch addressing the issue has been submitted to the library’s repository.
CVSS Analysis
Currently, a CVSS score is not available (N/A) for CVE-2025-12848. However, due to the nature of XSS vulnerabilities and the unauthenticated attack vector, it is advisable to consider this a serious risk. Typically, XSS vulnerabilities can range from medium to high severity depending on the exploitability and potential impact.
Possible Impact
Successful exploitation of this XSS vulnerability can have significant consequences:
- Data Theft: The attacker can steal sensitive information from the victim’s browser, such as cookies, session tokens, and form data.
- Session Hijacking: The attacker can hijack the victim’s session, gaining unauthorized access to the Drupal website with the victim’s privileges.
- Website Defacement: The attacker can modify the content of the website, displaying malicious messages or redirecting users to phishing sites.
- Malware Distribution: The attacker can inject malicious code that downloads and installs malware on the victim’s computer.
Mitigation & Patch Steps
Users of the Webform Multiple File Upload module for Drupal 7.x are strongly advised to take the following steps to mitigate the risk:
- Apply the Patch: Apply the patch available at https://github.com/fyneworks/multifile/pull/44. This patch addresses the underlying vulnerability in the third-party library.
- Update the Module: If a patched version of the Webform Multiple File Upload module is released, update to the latest version as soon as possible.
- Enable File Type Validation: In the Webform configuration, ensure that file type validation is enabled for Multifile fields. This will prevent the upload of files with potentially malicious extensions. However, keep in mind that filename manipulation can still bypass basic extension checks.
- Review Existing Uploads: Examine existing files uploaded through the Webform for any suspicious filenames. Remove any files that appear to be malicious.
