A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities :

 - Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.

 - Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

 - Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.

 - Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances. Only sites with the Overlay module enabled are affected by this vulnerability.

 - Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues.

 - Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.102, 10.2.x prior to 10.2.11, 10.3.x prior to 10.3.9, or 11.x prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities.

  - Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects     Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. (CVE-2024-55638)

  - Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects     Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
    (CVE-2024-55636, CVE-2024-55637)

  - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability     in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.
    (CVE-2024-55635)

  - A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0     before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. (CVE-2024-55634)

  - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability     in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before     10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. (CVE-2024-12393)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
114522	Drupal 7.x < 7.102 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
114521	Drupal 10.2.x < 10.2.11 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
114520	Drupal 10.3.x < 10.3.9 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
114519	Drupal 11.0.x < 11.0.8 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
211656	Drupal 7.x < 7.102 / 10.2.x < 10.2.11 / 10.3.x < 10.3.9 / 11.x < 11.0.8 Multiple Vulnerabilities (drupal-2024-11-20)	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2024-55634

high

Tenable Plugins

critical

critical

critical

critical

critical