Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071

Project:

Entity Form Steps

Date:

2024-December-04

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross site scripting

Affected versions:

<1.1.4

CVE IDs:

CVE-2024-13305

Description:

This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins.

The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code.

This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer [entity_type] form display' permission allowing access to configure entity form displays.

Solution:

Install the latest version:

If you use the Entity Form Steps module for Drupal 9.x/10.x, upgrade to Entity Form Steps 1.1.4

Reported By:

Ide Braakman

Fixed By:

Coordinated By:

Ivo Van Geertruyen of the Drupal Security Team

Contribution record

Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community