-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/simple_multistep | composer | < 2.0.0 | 2.0.0 |
Miggo AIRoot Cause AnalysisThe vulnerability was a Cross-Site Scripting (XSS) issue within the multi-step form building process. The root cause was an insecure, custom implementation for managing form state across multiple steps. Instead of relying on Drupal's core APIs, the module manually captured raw user input from the form state using getUserInput() in the MultistepController::saveInputValues method. This unsanitized input was then stored and re-injected into the form for subsequent steps by the simple_multistep_register_next_step function using setUserInput(). This action bypasses Drupal's rendering layer and sanitization filters (like Twig's auto-escaping), allowing any JavaScript payload submitted by a user in one step to be executed in their browser in a later step. The patch remediates this by removing the entire manual state management mechanism and replacing it with calls to Drupal's core entity form API (buildEntity and setEntity), which handles data persistence and rendering securely.
simple_multistep_register_next_stepsimple_multistep.module
Drupal\simple_multistep\MultistepController::saveInputValuessrc/MultistepController.php
simple_multistep_multistep_validatesimple_multistep.module
PHPPHPOngoing coverage of React2Shell