[Security-news] Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064
security-news at drupal.org
security-news at drupal.org
Wed Aug 14 17:56:22 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-064
Project: Forms Steps [1]
Date: 2019-August-14
Security risk: *Critical* 16∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
Forms Steps provides an UI to create form workflows using form modes. It
creates quick and configurable multisteps forms.
The module doesn't sufficiently check user permissions to access its
workflows entities that allows to see any entities that have been created
through the different steps of its multistep forms.
This vulnerability is mitigated by the fact that you have to know the Forms
Steps URL to create a content linked to the flow. Also, all created content
is very hard to edit through the same flow as you have to know the URL and
the linked hash to the content.
Solution:
Install the latest version:
* If you use the Forms Steps module for Drupal 8.x, upgrade to Forms Steps
8.x-1.2 [3]
Also see the Forms Steps [4] project page.
Reported By:
* solide-echt [5]
Fixed By:
* Hakim Rachidi [6]
* solide-echt [7]
* nicoloye [8]
Coordinated By:
* Michael Hess [9] of the Drupal Security Team
* Greg Knaddison [10] of the Drupal Security Team
[1] https://www.drupal.org/project/forms_steps
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/forms_steps/releases/8.x-1.2
[4] https://www.drupal.org/project/forms_steps
[5] https://www.drupal.org/user/46176
[6] https://www.drupal.org/user/3008327
[7] https://www.drupal.org/user/46176
[8] https://www.drupal.org/user/315225
[9] https://www.drupal.org/user/102818
[10] https://www.drupal.org/user/36762
More information about the Security-news
mailing list