Several weak points rated as “Moderately Critical” in two modules for the Drupal content management system (CMS) could have been exploited by attackers with low access rights to carry out cross-site scripting attacks. Updates are available for the “Webform” and “Admin Toolbar” modules in question and should be applied as soon as possible.
Further details on the vulnerabilities, along with version information and links to the updates, can be found in the Drupal advisories SA-CONTRIB-2021-026 (web form) and SA-CONTRIB-2021-025 (Admin Toolbar). The latter shows that the toolbar weaknesses can only be exploited under certain framework conditions (including activated search submodule). Attacks in the wild have not yet been observed.