CVE-2024-11942: Drupal core vulnerable to improper error handling

December 5, 2024

Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.

The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.

References

github.com/advisories/GHSA-52jr-x6h6-xj6g
github.com/drupal/core
nvd.nist.gov/vuln/detail/CVE-2024-11942
www.drupal.org/sa-core-2024-002

Detect and mitigate CVE-2024-11942 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →