Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002
Description
A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A bug in Drupal Core's CKEditor 5 module can, under uncommon configurations, move the entire webroot via image uploads, enabling site takedown.
Vulnerability
Overview
CVE-2024-11942 is a file manipulation vulnerability in Drupal Core affecting versions 10.0.0 through 10.2.9. The flaw resides in the CKEditor 5 module, where a bug in image upload handling can, under certain uncommon site configurations, cause the entire webroot to be moved to a different location on the file system [3]. This is not a typical file upload bypass but a logic error that triggers a destructive filesystem operation.
Exploitation
Conditions
Exploitation requires several non-default site configurations to be present simultaneously, making the attack surface narrow. A malicious user with the ability to upload images via CKEditor 5 (typically an authenticated user with appropriate permissions) could trigger the bug. The advisory notes that the issue is mitigated by the rarity of the required configuration combination [3].
Impact
If successfully exploited, an attacker can move the entire webroot directory, effectively taking the site offline. This results in a denial-of-service condition, as the site's files are relocated and no longer accessible from their expected paths. No data theft or code execution is described, but the availability impact is severe.
Mitigation
Drupal 10.2.10 contains the fix for this issue. Sites running Drupal 10.2.x should update immediately. Drupal 10.3 and later are not affected, nor is Drupal 7. Versions prior to 10.2 are end-of-life and no longer receive security coverage, so upgrading to a supported release is strongly recommended [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 10.0.0, < 10.2.10 | 10.2.10 |
Affected products
4- Range: >=10.0.0, <10.2.10
- osv-coords2 versions
>= 10.0.0, < 10.3.0+ 1 more
- (no CPE)range: >= 10.0.0, < 10.3.0
- (no CPE)range: >= 10.0.0, < 10.2.10
- Drupal/Drupal Corev5Range: 10.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-52jr-x6h6-xj6gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-11942ghsaADVISORY
- www.drupal.org/sa-core-2024-002ghsaWEB
News mentions
1- Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002Drupal Security Advisories · Oct 16, 2024