{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-12848","assignerOrgId":"2c85b837-eb8b-40ed-9d74-228c62987387","state":"PUBLISHED","assignerShortName":"drupal","dateReserved":"2025-11-06T21:09:12.402Z","datePublished":"2025-11-26T01:28:33.628Z","dateUpdated":"2026-03-26T20:52:30.614Z"},"containers":{"cna":{"providerMetadata":{"orgId":"2c85b837-eb8b-40ed-9d74-228c62987387","shortName":"drupal","dateUpdated":"2026-03-26T20:52:30.614Z"},"title":"XSS vulnerability when rendering filename in Webform Multiform","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-63","descriptions":[{"lang":"en","value":"CAPEC-63 Cross-Site Scripting (XSS)"}]}],"affected":[{"vendor":"Drupal","product":"Drupal","collectionURL":"https://www.drupal.org/project/webform_multifile","packageName":"Webform Multifile Upload","repo":"https://git.drupalcode.org/project/webform_multifile","versions":[{"status":"affected","version":"7.x-1.0","lessThanOrEqual":"7.x-1.6","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious\nfilename containing JavaScript code (e.g., \"<img src=1 onerror=alert(document.domain)>\") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts\nin the context of the victim's browser.\n \nThe issue is present in a third-party library and has been addressed in a patch available at  https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.","supportingMedia":[{"type":"text/html","base64":false,"value":"Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious<br>filename containing JavaScript code (e.g., \"&lt;img src=1 onerror=alert(document.domain)&gt;\") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts<br>in the context of the victim's browser.<br> <br>The issue is present in a third-party library and has been addressed in a patch available at&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/fyneworks/multifile/pull/44\">https://github.com/fyneworks/multifile/pull/44</a>. Users are advised to apply the provided patch or update to a fixed version of the module.<br><br><br>"}]}],"references":[{"url":"https://www.drupal.org/node/3105204","tags":["issue-tracking"]},{"url":"https://www.d7security.org/security-advisories/D7SECURITY-SA-CONTRIB-2025-001/","tags":["third-party-advisory"]},{"url":"https://www.herodevs.com/vulnerability-directory/cve-2025-12848","tags":["third-party-advisory"]},{"url":"https://d7es.tag1.com/security-advisories/webform-multiple-file-upload-critical-cross-site-scripting","tags":["third-party-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"LOW","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NEGLIGIBLE","Automatable":"NOT_DEFINED","Recovery":"USER","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"LOW","providerUrgency":"AMBER","version":"4.0","baseSeverity":"HIGH","baseScore":7,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/S:N/R:U/V:D/RE:L/U:Amber"}}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-11-26T14:18:51.075955Z","id":"CVE-2025-12848","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-11-26T14:19:01.182Z"}}]}}