Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116

Vulnerability

Overview

The Simple multi step form module for Drupal fails to properly sanitize user-provided input during web page generation, leading to a stored cross-site scripting (XSS) vulnerability [1]. This issue affects all versions from 0.0.0 up to, but not including, 2.0.0 [1]. The root cause is improper neutralization of input, which allows an attacker to inject malicious scripts that are later executed in the context of other users' browsers.

Exploitation

Prerequisites

Exploitation requires the attacker to have a Drupal role with the "administer node form display" permission [2]. This permission is typically granted to trusted site administrators, which somewhat limits the attack surface but does not eliminate the risk, especially in multi-tenant or delegated administration scenarios. The vulnerability is triggered when the injected content is rendered on a page viewed by other users.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the browsers of other users, including site administrators. This can lead to session hijacking, defacement, data theft, or further privilege escalation within the Drupal site [2]. The severity is considered moderately critical by the Drupal security team.

Mitigation

The Drupal project has released a fix in the 2.x branch of the module. Users are strongly advised to upgrade to a release from the 2.x branch immediately, as the 8.x-1.x branch is now unsupported and will not receive further security updates [2]. No workarounds are provided; upgrading is the only recommended solution.