Posted by kscheirer on January 13, 2011 at 7:44pm
Webform will allow anyone to gain complete control over your site. No permissions or accounts needed.
Ok, all Security Advisory (SAs) are worthwhile, but I really wanted to make sure people knew about the recent webform vulnerability. A lot of sites use it, especially smaller clients. If you're using the webform 3.x branch, upgrade immediately to webform 3.6. If you stayed on the webform 2 branch (2.10 for example), you're safe. If you already have webform 3.6, you're safe.
The full post is here: SA-CONTRIB-2011-001 - Webform - SQL Injection
I forgot to bring this up in the meetup yesterday :)