DRUPAL-CONTRIB-2025-116

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/simple_multistep/DRUPAL-CONTRIB-2025-116.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-116
Aliases
Published
2025-11-05T18:09:13Z
Modified
2025-12-10T23:41:21.015046Z
Summary
[none]
Details

This module provides the ability to convert any entity form into a simple multi-step form.

The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer node form display”.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/simple_multistep

Package

Name
drupal/simple_multistep
Purl
pkg:composer/drupal/simple_multistep

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.0
Database specific 
{
    "constraint": "<2.0.0"
}

Database specific

affected_versions

"<2.0.0"