GHSA-7v68-3pr5-h3cr – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=8.0.0 <8.5.8 || >=8.6.0 <8.6.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution The Contextual Links module doesn't sufficiently validate the requested contextual links. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

Metadata

Created: 2024-05-15T20:37:17Z
Modified: 2024-05-15T20:37:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-7v68-3pr5-h3cr/GHSA-7v68-3pr5-h3cr.json
CWE IDs: ["CWE-94"]
Alternative ID: N/A
Finding: F184
Auto approve: 1