CVE-2024-12393
published 2024-12-10CVE-2024-12393: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This…
PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.32%
23.8th percentile
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | core | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | core | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | core-recommended | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | core-recommended | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | core-recommended | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | drupal | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | drupal | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | drupal | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | drupal | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal_core | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | drupal_core | >= 8.8.0 < 10.2.11 | 10.2.11 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-12393: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (
osv·2024-12-10·CVSS 5.4
CVE-2024-12393 [MEDIUM] CVE-2024-12393: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
OSV
Drupal Core Cross-Site Scripting (XSS)
osv·2024-12-10
CVE-2024-12393 [MEDIUM] Drupal Core Cross-Site Scripting (XSS)
Drupal Core Cross-Site Scripting (XSS)
Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
GHSA
Drupal Core Cross-Site Scripting (XSS)
ghsa·2024-12-10
CVE-2024-12393 [MEDIUM] CWE-79 Drupal Core Cross-Site Scripting (XSS)
Drupal Core Cross-Site Scripting (XSS)
Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
OSV
CVE-2024-12393: Drupal uses JavaScript to render status messages in some cases and configurations
osv·2024-11-20
CVE-2024-12393 CVE-2024-12393: Drupal uses JavaScript to render status messages in some cases and configurations
Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.
Drupal
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003
vendor_drupal·2024-11-20
CVE-2024-12393 [MEDIUM] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003
Title: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003
Vulnerability Type: Cross Site Scripting
Description: Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.
Solution: Install the latest version: If you are using Drupal 10.2, update to Drupal 10.2.11. If you are using Drupal 10.3, update to Drupal 10.3.9. If you are using Drupal 11.0, update to Drupal 11.0.8. Drupal 7 is not affected. All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-10
Published