Today we released a security announcement about a Webform SQL Injection vulnerability outside of the normal release schedule on Wednesday.

I chose to release today with a minimal fix instead of waiting until January 12th for a combination of reasons:

1. The vulnerability was made public.
2. The injection requires no permissions at all.
3. High impact; easy uid 1 access.
4. No other user interaction required.
5. Webform was under high scrutiny last week due to the Geenstijl shockblog.
6. We received news today that the hole was being actively exploited.

This combination could turn out to be very damaging for a lot of Drupal sites should we have waited longer.

Versions

To clear up any confusion regarding the affected supported branches; only Webform 6.x-3.x is affected. Users of Webform 6.x.3.x should upgrade to Webform 6.x-3.5.

The Webform 6.x-2.x versions are not affected by this vulnerability. As long as you use 6.x-2.8, 6.x-2.9 or 6.x-2.10 you're good. Older versions of the Webform 6.x-2.x branch have different vulnerabilities that were already announced.

Webform for Drupal 5.x and the 7.x betas are not supported by the security team.