CVE-2024-12393: Drupal Core Cross-Site Scripting (XSS)

December 10, 2024

Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

References

github.com/advisories/GHSA-8mvq-8h2v-j9vf
github.com/drupal/core
github.com/drupal/core/commit/276ac67ad891605052e0a24fb36ece9caaa511e8
nvd.nist.gov/vuln/detail/CVE-2024-12393
www.drupal.org/sa-core-2024-003

Detect and mitigate CVE-2024-12393 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →