Platform
drupal
Component
drupal
Fixed in
10.2.10
10.2.10
CVE-2024-11942 is a file system vulnerability affecting Drupal Core versions up to 10.2.9. This issue arises from a bug within the CKEditor 5 module, which, under specific and uncommon site configurations, can lead to image uploads inadvertently relocating the entire webroot on the file system. While the risk is mitigated by the need for multiple non-default configurations, successful exploitation could result in site unavailability. A fix is available in Drupal Core 10.2.10.
The primary impact of CVE-2024-11942 is potential site downtime. A malicious user, exploiting the vulnerability, could trigger an image upload that moves the webroot to a different location. This disruption would render the website inaccessible to users. The severity is tempered by the requirement for a very specific and uncommon configuration of the Drupal site. Attackers would need to manipulate the CKEditor 5 module and leverage specific file system permissions to achieve this outcome. This vulnerability doesn't directly expose sensitive data but can cause significant operational disruption.
CVE-2024-11942 was publicly disclosed on December 5, 2024. While no public proof-of-concept (PoC) has been released, the uncommon configuration requirements limit the immediate exploitation risk. The vulnerability is not currently listed on CISA KEV. The EPSS score is likely low to medium, reflecting the difficulty in achieving the necessary preconditions for exploitation.
Exploit Status
EPSS
1.56% (81% percentile)
CVSS Vector
The most effective mitigation for CVE-2024-11942 is upgrading to Drupal Core 10.2.10 or later, which contains the fix. If immediate upgrading isn't feasible, carefully review and restrict file upload permissions within your Drupal site. Ensure that the CKEditor 5 module is configured with the default settings and that any custom configurations are thoroughly vetted for potential security implications. Consider implementing a Web Application Firewall (WAF) to filter potentially malicious image uploads. After upgrading, confirm the fix by attempting an image upload with a potentially problematic filename and verifying that the webroot remains in its expected location.
Update Drupal Core to version 10.2.10 or higher. This update fixes the error handling vulnerability. Back up your website before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11942 is a vulnerability in Drupal Core versions ≤10.2.9 where image uploads can move the webroot under specific configurations, potentially causing site downtime. It has a MEDIUM severity (5.9).
You are affected if you are running Drupal Core versions 10.2.9 or earlier and have a non-standard CKEditor 5 module configuration. Review your site's configuration to determine your risk level.
Upgrade to Drupal Core 10.2.10 or later. If upgrading is not immediately possible, review and restrict file upload permissions and consider using a WAF.
As of December 2024, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official Drupal security advisory at https://www.drupal.org/security/advisories/cve-2024-11942 for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.