DRUPAL-CONTRIB-2019-064

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/forms_steps/DRUPAL-CONTRIB-2019-064.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2019-064

Published

2019-08-14T17:33:20Z

Modified

2025-12-10T23:32:33.486417Z

Summary

[none]

Details

Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms.

The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of its multistep forms.

This vulnerability is mitigated by the fact that you have to know the Forms Steps URL to create a content linked to the flow. Also, all created content is very hard to edit through the same flow as you have to know the URL and the linked hash to the content.

References

https://www.drupal.org/sa-contrib-2019-064

Credits

- solide-echt
- - https://www.drupal.org/user/46176

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/forms_steps

Package

Name: drupal/forms_steps
Purl: pkg:composer/drupal/forms_steps

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.0

Database specific

{
    "constraint": "<1.2.0"
}

Database specific

affected_versions

"<1.2.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/forms_steps/DRUPAL-CONTRIB-2019-064.json"