11.0.8
10.2.11
10.2.11
10.2.11
CVE-2024-55634 is a vulnerability in Drupal Core that affects versions up to 9.5.9. It stems from inconsistent uniqueness checks for user email addresses, depending on the database engine and collation used. This inconsistency can allow multiple users to register with the same email address, leading to potential data integrity problems within the Drupal site.
An attacker could exploit this vulnerability to register a new user account with an email address already associated with an existing user. This could lead to confusion, potential account hijacking, or other data integrity issues. The impact is primarily related to data integrity and user experience, rather than direct system compromise. The vulnerability highlights the importance of consistent data validation and uniqueness constraints across different database environments. This could also be leveraged for spam or other malicious activities.
The exploitation context for CVE-2024-55634 is currently unclear. No public exploits or active campaigns have been reported. The CVSS score is pending evaluation. The vulnerability was published on December 10, 2024. While the vulnerability's impact is primarily related to data integrity, it could be exploited for malicious purposes.
Organizations and individuals using Drupal Core versions 8.0.0 through 9.5.9 are at risk. This includes websites and applications built on Drupal that rely on accurate user data and email communication. Sites with custom user registration modules or integrations should also be carefully reviewed to ensure they do not exacerbate the vulnerability.
• drupal: Check Drupal Core version using drush --version.
drush --version• drupal: Review Drupal logs (sites/[site]/logs/drupal.log) for unusual registration patterns or errors related to email uniqueness. • generic web: Monitor user registration endpoints for suspicious activity using web application firewalls (WAFs) or intrusion detection systems (IDS).
disclosure
Exploit-Status
EPSS
0.85% (75% Perzentil)
The primary mitigation for CVE-2024-55634 is to upgrade Drupal Core to version 10.2.11 or later. If upgrading is not immediately possible, review and adjust database collation settings to ensure consistent uniqueness checks. Implement additional validation on the email address field to prevent duplicate entries. Regularly audit user accounts to identify and resolve any instances of duplicate email addresses. After upgrading, verify the fix by attempting to register a new user with an email address already in use.
Actualice Drupal Core a la última versión disponible. Para las versiones 8.x a 10.2.x, actualice a la versión 10.2.11 o superior. Para las versiones 10.3.x, actualice a la versión 10.3.9 o superior. Para las versiones 11.0.x, actualice a la versión 11.0.8 o superior.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-55634 is a vulnerability in Drupal Core allowing users to register with duplicate email addresses due to inconsistent uniqueness checks, potentially compromising data integrity. It affects versions ≤9.5.9.
Yes, if you are using Drupal Core versions 8.0.0 through 9.5.9, you are potentially affected by this vulnerability. Upgrade to 10.2.11 or later to mitigate the risk.
The recommended fix is to upgrade Drupal Core to version 10.2.11 or later. Implement stricter email verification processes as a temporary workaround if immediate upgrade is not possible.
As of December 2024, there are no known public exploits or active campaigns targeting CVE-2024-55634, but vigilance is still advised.
Refer to the official Drupal security advisory for detailed information and updates: https://www.drupal.org/security/advisories/cve-2024-55634
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.