Drupal Core Vulnerability - XSS (Cross-Site Scripting)
CVE-2024-12393

Currently unrated

Key Information:

Vendor: Drupal
Status: Drupal Core
Vendor: CVE Published:; 10 December 2024

Summary

A vulnerability in Drupal Core allows for Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation. Attackers can exploit this flaw to inject arbitrary web scripts into pages displayed to users, potentially leading to data theft or unauthorized actions. The issue impacts various versions of Drupal Core, necessitating immediate action from website administrators to ensure the security of their web applications.

Affected Version(s)

Drupal Core 8.8.0 < 10.2.11

Drupal Core 10.3.0 < 10.3.9

Drupal Core 11.0.0 < 11.0.8

References

https://www.drupal.org/sa-core-2024-003

Timeline

Vulnerability published
Dec 10, 2024

Credit

Jay Beaton

Lee Rowlands

catch

Mingsong

Juraj Nemec

Dave Long

Benji Fisher

Juraj Nemec

Greg Knaddison