Moderate severityNVD Advisory· Published Dec 9, 2024· Updated Dec 11, 2024

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003

CVE-2024-12393

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Drupal core's message rendering allows unauthenticated attackers to inject malicious scripts via unsanitized status messages.

CVE-2024-12393 is a Cross-Site Scripting (XSS) vulnerability in Drupal core, caused by improper neutralization of input during web page generation. The issue lies in the MessageCommand class, where status messages are rendered without adequate sanitization when JavaScript is used to display them. The Drupal security advisory SA-CORE-2024-003 [4] and the associated source code fix [3] show that the render() method did not filter the message content, potentially allowing script injection.

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious message that, when processed by Drupal's JavaScript message system, executes arbitrary scripts in the context of the victim's browser. The advisory [4] notes that this affects Drupal versions from 8.8.0 before 10.2.11, 10.3.0 before 10.3.9, and 11.0.0 before 11.0.8. Notably, Drupal 7 is not affected, and older versions (8.x and 9.x) are end-of-life [4]. The official NVD entry [2] confirms the CVSS score remains pending but indicates a moderate severity.

Impact

Successful exploitation allows the attacker to inject and execute arbitrary JavaScript, leading to data theft, session hijacking, or defacement. The impact is limited to contexts where status messages are rendered, but given the ubiquity of such messages, the attack surface is broad.

Mitigation

The vulnerability is resolved in Drupal versions 10.2.11, 10.3.9, and 11.0.8 [4]. The fix involves sanitizing the message content by applying Xss::filterAdmin() to non-MarkupInterface strings, as shown in the commit [3]. Users must update to these versions immediately; no workaround is available.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
drupal/corePackagist	>= 8.8.0, < 10.2.11	10.2.11
drupal/corePackagist	>= 10.3.0, < 10.3.9	10.3.9
drupal/corePackagist	>= 11.0.0, < 11.0.8	11.0.8
drupal/core-recommendedPackagist	>= 8.8.0, < 10.2.11	10.2.11
drupal/core-recommendedPackagist	>= 10.3.0, < 10.3.9	10.3.9
drupal/core-recommendedPackagist	>= 11.0.0, < 11.0.8	11.0.8
drupal/drupalPackagist	>= 8.8.0, < 10.2.11	10.2.11
drupal/drupalPackagist	>= 10.3.0, < 10.3.9	10.3.9
drupal/drupalPackagist	>= 11.0.0, < 11.0.8	11.0.8

Affected products

Drupal/Drupal Corellm-fuzzy
Range: >=8.8.0 <10.2.11, >=10.3.0 <10.3.9, >=11.0.0 <11.0.8
osv-coords4 versions
pkg:bitnami/drupal pkg:composer/drupal/core pkg:composer/drupal/core-recommended pkg:composer/drupal/drupal
>= 8.8.0, < 10.3.9+ 3 more
- (no CPE)range: >= 8.8.0, < 10.3.9
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
Drupal/Drupal Corev5
Range: 8.8.0

Patches

276ac67ad891

SA-CORE-2024-003 by jrb, larowlan, catch, mingsong, poker10, longwave, benjifisher

https://github.com/drupal/coreDave LongNov 20, 2024via ghsa

commit

1 file changed · +7 −3

lib/Drupal/Core/Ajax/MessageCommand.php+7 −3 modified

@@ -2,6 +2,8 @@
 
 namespace Drupal\Core\Ajax;
 
+use Drupal\Component\Render\MarkupInterface;
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Asset\AttachedAssets;
 
 /**
@@ -68,7 +70,7 @@ class MessageCommand implements CommandInterface, CommandWithAttachedAssetsInter
   /**
    * The message text.
    *
-   * @var string
+   * @var string|\Drupal\Component\Render\MarkupInterface
    */
   protected $message;
 
@@ -96,7 +98,7 @@ class MessageCommand implements CommandInterface, CommandWithAttachedAssetsInter
   /**
    * Constructs a MessageCommand object.
    *
-   * @param string $message
+   * @param string|\Drupal\Component\Render\MarkupInterface $message
    *   The text of the message.
    * @param string|null $wrapper_query_selector
    *   The query selector of the element to display messages in when they
@@ -120,7 +122,9 @@ public function __construct($message, $wrapper_query_selector = NULL, array $opt
   public function render() {
     return [
       'command' => 'message',
-      'message' => $this->message,
+      'message' => $this->message instanceof MarkupInterface
+        ? (string) $this->message
+        : Xss::filterAdmin($this->message),
       'messageWrapperQuerySelector' => $this->wrapperQuerySelector,
       'messageOptions' => $this->options,
       'clearPrevious' => $this->clearPrevious,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8mvq-8h2v-j9vfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-12393ghsaADVISORY
github.com/drupal/core/commit/276ac67ad891605052e0a24fb36ece9caaa511e8ghsaWEB
www.drupal.org/sa-core-2024-003ghsaWEB

News mentions

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003
Drupal Security Advisories · Nov 20, 2024

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000