"It has been a pleasure to work with Casey, Rick and Phil from Ricochet. We were initially faced with a dip in productivity on our project due to some team member's contributing to DrupalCon Munich. Casey and team were able to step in, ramp up, and start contributing to solutions immediately. When our team members returned from Munich, we decided the Ricochet guys were too valuable and helpful to let go, so we have kept them on as members of the team until launch.
—Suzy Bates, Four Kitchens

Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071

Wed, 2024-12-04 08:20 — Anonymous (not verified)

Project: Entity Form StepsDate: 2024-December-04Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingAffected versions: <1.1.4Description: This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins.
The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code.
This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer [entity_type] form display' permission allowing access to configure entity form displays.Solution: Install the latest version:

If you use the Entity Form Steps module for Drupal 9.x/10.x, upgrade to Entity Form Steps 1.1.4

Reported By:

Ide Braakman

Fixed By:

Coordinated By:

Ivo Van Geertruyen of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2024-071

Search form

Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071