DRUPAL-CORE-2024-002

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2024-002.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CORE-2024-002

Aliases

Published

2024-10-16T16:27:27Z

Modified

2025-12-10T23:40:59.635498Z

Summary

[none]

Details

Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.

The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.

References

https://www.drupal.org/sa-core-2024-002

Credits

- Pierre Rudloff
- - https://www.drupal.org/user/3611858

Affected packages

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal/core

Affected ranges

Type

ECOSYSTEM

Events

Introduced

10.0.0

Fixed

10.2.10

Database specific

{
    "constraint": ">=10.0 < 10.2.10"
}

Affected versions

10.*

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.0.6

10.0.7

10.0.8

10.0.9

10.0.10

10.0.11

10.1.0-alpha1

10.1.0-beta1

10.1.0-rc1

10.1.0

10.1.1

10.1.2

10.1.3

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.2.0-alpha1

10.2.0-beta1

10.2.0-rc1

10.2.0

10.2.1

10.2.2

10.2.3

10.2.4

10.2.5

10.2.6

10.2.7

10.2.8

10.2.9

Database specific

affected_versions

">=10.0 < 10.2.10"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2024-002.json"