Platform
drupal
Component
drupal
Fixed in
10.2.11
10.3.9
11.0.8
10.2.11
10.2.11
10.2.11
CVE-2024-12393 describes a Cross-Site Scripting (XSS) vulnerability within Drupal Core. This flaw arises from insufficient sanitization of status messages rendered via JavaScript, potentially allowing attackers to inject malicious scripts into the affected Drupal site. This impacts Drupal Core versions from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, and from 11.0.0 before 11.0.8. The vulnerability is fixed in Drupal version 10.2.11.
CVE-2024-12393 in Drupal Core affects how status messages are rendered using JavaScript. In specific configurations, these messages are not adequately sanitized, potentially allowing an attacker to inject malicious JavaScript code. This code could be executed in a user's browser, potentially compromising the website's security. The vulnerability's severity is rated as 5.4 on the CVSS scale, indicating a moderate risk. Affected versions include Drupal Core from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, and from 11.0.0 before 11.0.8. Successful exploitation could result in arbitrary code execution, sensitive information theft, or website manipulation.
The vulnerability is exploited through JavaScript code injection into status messages. An attacker could achieve this by manipulating data used to generate these messages, taking advantage of the inadequate sanitization. The exploitation context depends on the specific Drupal site configuration and the functionalities that utilize JavaScript-rendered status messages. Exploitation requires the attacker to have the ability to influence the data used to generate the status messages, which could be achieved through various vulnerabilities in custom modules or themes. The execution of injected code depends on the user's browser configuration and the website's security policies.
Exploit Status
EPSS
1.89% (83% percentile)
CVSS Vector
The recommended solution is to update Drupal Core to a patched version. Specifically, update to version 10.2.11 or higher, 10.3.9 or higher, or 11.0.8 or higher. These versions include patches addressing the JavaScript sanitization vulnerability in status messages. If an immediate update is not possible, consider implementing temporary mitigation measures, such as carefully reviewing custom JavaScript code and temporarily disabling features that utilize JavaScript-rendered status messages. Applying the update as soon as possible is crucial to minimize the risk of exploitation. Thorough testing should be performed after the update to ensure website functionality.
Actualice Drupal Core a la última versión disponible. Para las versiones 8.8.x a 10.2.x, actualice a la versión 10.2.11 o superior. Para las versiones 10.3.x, actualice a la versión 10.3.9 o superior. Para las versiones 11.0.x, actualice a la versión 11.0.8 o superior.
Vulnerability analysis and critical alerts directly to your inbox.
Drupal Core from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, and from 11.0.0 before 11.0.8.
Verify the version of Drupal Core you are using. If it falls within the affected ranges, it is likely vulnerable.
JavaScript sanitization is the process of cleaning and validating JavaScript code to remove or neutralize any malicious code.
Consider implementing temporary mitigation measures, such as reviewing custom JavaScript code and temporarily disabling features that utilize status messages.
Drupal offers built-in update tools and third-party modules that can simplify the update process.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.