Nick Onom's picture

Nick

 Marketing Project Manager

Aug 15, 2019
Add comment

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Project: Forms Steps
Date: 2019-August-14
Security risk:  Critical 16∕25 
Vulnerability: Access bypass

Description

Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms.

The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of its multistep forms.

This vulnerability is mitigated by the fact that you have to know the Forms Steps URL to create a content linked to the flow. Also, all created content is very hard to edit through the same flow as you have to know the URL and the linked hash to the content.

Solution

Install the latest version:

If you use the Forms Steps module for Drupal 8.x, upgrade to Forms Steps 8.x-1.2

Also see the Forms Steps project page.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.
Drupal · Security

We value your opinion. Please add your feedback.

Get Started or Contact Us