DRUPAL-CONTRIB-2024-039

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/seckit/DRUPAL-CONTRIB-2024-039.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-039

Aliases

CVE-2024-13275

Published

2024-09-11T16:21:22Z

Modified

2025-12-10T23:41:32.794788Z

Summary

[none]

Details

This module provides Drupal with various security-hardening options, for example by emitting various configurable HTTP response headers.

The module doesn't sufficiently validate input in Content Security Policy (CSP) violation reports. This can cause errors when a logging module (e.g. dblog or syslog) attempts to parse the resulting log message which contains invalid data.

This vulnerability is mitigated by the fact that to be affected a site must have seckit's CSP reporting functionality enabled. Recent versions of Drupal 10 and 11 core are not vulnerable due to improved parsing of log messages.

References

https://www.drupal.org/sa-contrib-2024-039

Credits

- _b0lli
- - https://www.drupal.org/user/3827467

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/seckit

Package

Name: drupal/seckit
Purl: pkg:composer/drupal/seckit

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.0.3

Database specific

{
    "constraint": "<2.0.3"
}

Database specific

affected_versions

"<2.0.3"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/seckit/DRUPAL-CONTRIB-2024-039.json"