DRUPAL-CONTRIB-2024-071

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/entity_form_steps/DRUPAL-CONTRIB-2024-071.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-071

Aliases

CVE-2024-13305

Published

2024-12-04T16:20:57Z

Modified

2025-12-10T23:41:27.258293Z

Summary

[none]

Details

This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins.

The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code.

This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer [entity_type] form display' permission allowing access to configure entity form displays.

References

https://www.drupal.org/sa-contrib-2024-071

Credits

- Ide Braakman
- - https://www.drupal.org/user/1879760

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/entity_form_steps

Package

Name: drupal/entity_form_steps
Purl: pkg:composer/drupal/entity_form_steps

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.1.4

Database specific

{
    "constraint": "<1.1.4"
}

Database specific

affected_versions

"<1.1.4"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/entity_form_steps/DRUPAL-CONTRIB-2024-071.json"