Packagist (Composer) package
drupal/core-recommended
pkg:composer/drupal/core-recommended
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-55638 | — | >= 8.8.0, < 10.2.11 | 10.2.11 | Dec 9, 2024 | Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deseri | ||
| CVE-2024-55637 | — | >= 8.8.0, < 10.2.11 | 10.2.11 | Dec 9, 2024 | Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure de | ||
| CVE-2024-55636 | — | >= 8.8.0, < 10.2.11 | 10.2.11 | Dec 9, 2024 | Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure de | ||
| CVE-2024-55634 | — | >= 8.0.0, < 10.2.11 | 10.2.11 | Dec 9, 2024 | A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. | ||
| CVE-2024-12393 | — | >= 8.8.0, < 10.2.11 | 10.2.11 | Dec 9, 2024 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. | ||
| CVE-2024-45440 | — | >= 10.3.0, < 10.3.6 | 10.3.6 | Aug 29, 2024 | core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist. |
- CVE-2024-55638Dec 9, 2024affected >= 8.8.0, < 10.2.11fixed 10.2.11
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deseri
- CVE-2024-55637Dec 9, 2024affected >= 8.8.0, < 10.2.11fixed 10.2.11
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure de
- CVE-2024-55636Dec 9, 2024affected >= 8.8.0, < 10.2.11fixed 10.2.11
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure de
- CVE-2024-55634Dec 9, 2024affected >= 8.0.0, < 10.2.11fixed 10.2.11
A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
- CVE-2024-12393Dec 9, 2024affected >= 8.8.0, < 10.2.11fixed 10.2.11
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
- CVE-2024-45440Aug 29, 2024affected >= 10.3.0, < 10.3.6fixed 10.3.6
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.