Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071
  • Date: Wed, 4 Dec 2024 17:22:55 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=ffu32pI7; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 65E27435FD
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5F5B9606BF
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-071

Project: Entity Form Steps [1]
Date: 2024-December-04
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting

Affected versions: <1.1.4
Description: 
This module allows a site builder to create multi-step entity forms
leveraging the Field Group field type plugins.

The module doesn't escape plain text administrative configurations. An
attacker with admin access could inject arbitrary JavaScript code.

This vulnerability is mitigated by the fact that an attacker must have a role
with the 'administer [entity_type] form display' permission allowing access
to configure entity form displays.

Solution: 
Install the latest version:

* If you use the Entity Form Steps module for Drupal 9.x/10.x, upgrade to
Entity Form Steps 1.1.4 [3]

Reported By: 
* Ide Braakman [4]

Fixed By: 
* Rob [5]

Coordinated By: 
* Ivo Van Geertruyen [6] of the Drupal Security Team


[1] https://www.drupal.org/project/entity_form_steps
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/entity_form_steps/releases/1.1.4
[4] https://www.drupal.org/user/1879760
[5] https://www.drupal.org/user/459772
[6] https://www.drupal.org/u/mrbaileys

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071, security-news, 04.12.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang