Forms Steps allows the form to be displayed and the content to be edited through Forms Steps workflow entities. So even if a permission is set to the content type, users were able to use the Forms Steps workflow entities to access and create contents.
This vulnerability is mitigated by the fact that you have to know the Forms Steps URL to create a content linked to the workflow entity. Also, all created contents are very hard to edit through the same workflow as you have to know the URL and the linked hash to the content.
Finally the exposed contents are only the ones created through a Form Steps workflow.
This release fix this issue.
Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064
Last updated: 11 Aug 2019 at 08:33 UTCOfficial release from tag: 8.x-1.2Core compatibility: 8.x
Release type: Security update
Short description: This release fixes an access bypass vulnerabilityPackaged Git sha1: 63f00189f5bb59d16ec7f446f13a0dc4b9460168