"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116

Wed, 2025-11-05 10:09 — Anonymous (not verified)

Project: Simple multi step formDate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <2.0.0CVE IDs: CVE-2025-12761Description: This module provides the ability to convert any entity form into a simple multi-step form.
The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer node form display”.Solution: Install the latest version:

If you use the Simple multi step form module for Drupal, upgrade to a release from the 2.x branch, as the 8.x-1.x branch is now unsupported

Reported By:

Ide Braakman (idebr)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-116

Search form

Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116