View online: https://www.drupal.org/sa-contrib-2024-071

Project: Entity Form Steps [1] Date: 2024-December-04 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting

Affected versions: <1.1.4 Description:  This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins.

The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code.

This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer [entity_type] form display' permission allowing access to configure entity form displays.

Solution:  Install the latest version:

* If you use the Entity Form Steps module for Drupal 9.x/10.x, upgrade to Entity Form Steps 1.1.4 [3]

Reported By:  * Ide Braakman [4]

Fixed By:  * Rob [5]

Coordinated By:  * Ivo Van Geertruyen [6] of the Drupal Security Team

[1] https://www.drupal.org/project/entity_form_steps [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/entity_form_steps/releases/1.1.4 [4] https://www.drupal.org/user/1879760 [5] https://www.drupal.org/user/459772 [6] https://www.drupal.org/u/mrbaileys