Impact
End-user filling out forms could accidentally or deliberately skip the "login" step of forms that require authentication.
One way to trigger this is logging out of the form, and then hitting the back button of the browser to return to a previous step. Clever URL crafting with some querystring parameters would also skip the login step.
This allowed them to fill out the form fields, possibly avoiding logic checks that would prevent them from filling out the form at all or in some parts (such as checks on place of residence based on prefilled data). Additionally, some hidden components filled with prefill-data would be empty and cause complications downstream when processing the form data.
Organizations processing the form data may be impacted by confusing submission data or illegitimate submissions, leading to unexpected/additional work load.
Patches
We have applied patches that perform additional permission checks in the API endpoints if authentication is required for the form. The end-user will see a generic error message on their screen with the option to go back to the login-step of the form.
Workarounds
You can set up a logic rule based on a hidden field (BSN/KVK) which is prefilled via a plugin. If the value of that field is empty ("" or null), you can block form step submission.
Impact
End-user filling out forms could accidentally or deliberately skip the "login" step of forms that require authentication.
One way to trigger this is logging out of the form, and then hitting the back button of the browser to return to a previous step. Clever URL crafting with some querystring parameters would also skip the login step.
This allowed them to fill out the form fields, possibly avoiding logic checks that would prevent them from filling out the form at all or in some parts (such as checks on place of residence based on prefilled data). Additionally, some hidden components filled with prefill-data would be empty and cause complications downstream when processing the form data.
Organizations processing the form data may be impacted by confusing submission data or illegitimate submissions, leading to unexpected/additional work load.
Patches
We have applied patches that perform additional permission checks in the API endpoints if authentication is required for the form. The end-user will see a generic error message on their screen with the option to go back to the login-step of the form.
Workarounds
You can set up a logic rule based on a hidden field (BSN/KVK) which is prefilled via a plugin. If the value of that field is empty (
""ornull), you can block form step submission.