DRUPAL-CONTRIB-2024-037

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2024-037.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-037

Aliases

CVE-2024-13273

Withdrawn

2026-03-18T18:00:07.487495Z

Published

2024-09-04T16:15:41Z

Modified

2026-03-18T18:00:07.487495Z

Summary

[none]

Details

Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed.

This module allows a website to display embedded content (such as photos or videos) when a user posts a link to that resource, without having to parse the resource directly.

Added URL's were not sufficiently validated which could lead to a DoS via Blind SSRF and/or Application Takeover via Stored XSS.

This vulnerability is mitigated by the fact that social_embed submodule needs to be enabled.

References

https://www.drupal.org/sa-contrib-2024-037

Credits

- Thiago Régis
- - https://www.drupal.org/user/277221

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/social

Package

Name: drupal/social
Purl: pkg:composer/drupal/social

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

12.3.8

Database specific

{
    "constraint": "<12.3.8"
}

Type

ECOSYSTEM

Events

Introduced

12.4.0

Fixed

12.4.5

Database specific

{
    "constraint": ">=12.4.0 <12.4.5"
}

Database specific

affected_versions

"<12.3.8 || >=12.4.0 <12.4.5"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2024-037.json"