GHSA-jjx7-8462-w4m4 – drupal/drupal

Package

Manager: composer
Name: drupal/drupal
Vulnerable Version: >=8.0.0 <8.5.8 || >=8.6.0 <8.6.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution The Contextual Links module doesn't sufficiently validate the requested contextual links. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

Metadata

Created: 2024-05-15T20:57:20Z
Modified: 2024-05-15T20:57:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-jjx7-8462-w4m4/GHSA-jjx7-8462-w4m4.json
CWE IDs: ["CWE-20"]
Alternative ID: N/A
Finding: F184
Auto approve: 1