[Security-news] Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071
security-news at drupal.org
security-news at drupal.org
Wed Dec 4 17:22:55 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-071
Project: Entity Form Steps [1]
Date: 2024-December-04
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting
Affected versions: <1.1.4
Description:
This module allows a site builder to create multi-step entity forms
leveraging the Field Group field type plugins.
The module doesn't escape plain text administrative configurations. An
attacker with admin access could inject arbitrary JavaScript code.
This vulnerability is mitigated by the fact that an attacker must have a role
with the 'administer [entity_type] form display' permission allowing access
to configure entity form displays.
Solution:
Install the latest version:
* If you use the Entity Form Steps module for Drupal 9.x/10.x, upgrade to
Entity Form Steps 1.1.4 [3]
Reported By:
* Ide Braakman [4]
Fixed By:
* Rob [5]
Coordinated By:
* Ivo Van Geertruyen [6] of the Drupal Security Team
[1] https://www.drupal.org/project/entity_form_steps
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/entity_form_steps/releases/1.1.4
[4] https://www.drupal.org/user/1879760
[5] https://www.drupal.org/user/459772
[6] https://www.drupal.org/u/mrbaileys
More information about the Security-news
mailing list