CVE-2024-11942
published 2024-12-05CVE-2024-11942: A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
PriorityP333medium5.9CVSS 3.1
AVNACHPRNUINSUCNIHAN
EPSS
0.38%
29.3th percentile
A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.0.0 < 10.2.10 | 10.2.10 |
| drupal | drupal | >= 10.0.0 < 10.2.10 | 10.2.10 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.0.0 < 10.2.10 | 10.2.10 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
osv5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Drupal core vulnerable to improper error handling
ghsa·2024-12-05
CVE-2024-11942 [MEDIUM] CWE-390 Drupal core vulnerable to improper error handling
Drupal core vulnerable to improper error handling
Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.
The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.
OSV
Drupal core vulnerable to improper error handling
osv·2024-12-05
CVE-2024-11942 [MEDIUM] Drupal core vulnerable to improper error handling
Drupal core vulnerable to improper error handling
Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.
The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.
OSV
CVE-2024-11942: A vulnerability in Drupal Core allows File Manipulation
osv·2024-12-05·CVSS 5.9
CVE-2024-11942 [MEDIUM] CVE-2024-11942: A vulnerability in Drupal Core allows File Manipulation
A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
OSV
CVE-2024-11942: Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different loca
osv·2024-10-16
CVE-2024-11942 CVE-2024-11942: Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different loca
Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.
The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.
Drupal
Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002
vendor_drupal·2024-10-16
CVE-2024-11942 [MEDIUM] Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002
Title: Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002
Vulnerability Type: Improper error handling
Description: Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site. The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.
Solution: Install the latest version: If you are using Drupal 10.2, update to Drupal 10.2.10 . Drupal 10.3 and above are not affected, nor is Drupal 7. All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached e
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-05
Published