CVE-2026-0749
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. There is a cross-site scripting vulnerability in the Form Builder contributed module.
It’s possible to inject malicious Javascript code into the JavaScript-based form building system provided by the Form Builder contributed module.
A cross-site scripting (XSS) vulnerability allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:
- Session hijacking
- Data theft
- Malware distribution
- Defacement or phishing and
- Privilege escalation.
This issue affects all versions of Drupal 7 Form Builder including and below 7.1.22; it is patched in Form Builder NES 7.1.23.
Details
Module Info
- Product: Drupal
- Affected code: Form Builder module
- Affected versions: >=7.1.0 <=7.1.22
- Project page: https://www.drupal.org/project/form_builder
- Fixed in: Form Builder NES 7.1.23
Vulnerability Info
This medium-severity vulnerability is found in all versions of the Form Builder module up to and including 7.1.22.
Steps To Reproduce
- Install Drupal 7 NES 7.103 or later.
- Set webflo/drupal-finder to version 1.2.1 (later versions require PHP 8.x).
- Install Webform and a susceptible version of Form Builder, such as 7.1.22.
- Enable the Webform, Form Builder, Form Builder Examples and Form Builder Webform modules.
- Add a block:
- Go to admin/structure/block/list/seven/add.
- Provide a title and block description.
- Under the block body, ensure the filter is to "Filtered HTML."
- Replace the <your-site> placeholder below with your site URL and paste it into the block body:
<blockquote id="form-builder-field-palette">
<ul class="form-builder-fields clearfix">
<li class="field-textfield form-builder-palette-element form-builder-wrapper">
XSS field
<a href="http://<your-site>/sites/default/files/payload.txt"></a>
</li>
</ul>
</blockquote>
- In "REGION SETTINGS" under "Seven (administration theme)" select "Content."
- Click "Save block."
- Create the file sites/default/files/payload.txt and add this content:
{"html":"<img src=x onerror=alert(document.domain)>"}
- Alternate option: host the JSON at an external URL and replace the <your-site> link above with that URL.
- If using an external URL, ensure the response includes an Access-Control-Allow-Origin: * header.
- Go to node/add/webform.
- Provide a title and click "Save."
- Drag the "XSS field" from the block into the form.
- Observe an alert dialog box appear.
Addressing the Issue
Users of the affected component(s) should address this exploit in one of the following ways:
- Strictly restrict user with access to the Form Builder graphical user interface
- Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.
Credits
Yonatan Offek (poiu)
