CVE-2024-55636

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-55636
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-55636.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-55636
Aliases
Related
Published
2024-12-10T00:15:22Z
Modified
2025-06-03T16:42:38.892700Z
Summary
[none]
Details

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type
GIT
Repo
https://github.com/drupal/drupal
Events

Affected versions

10.*

10.0.0-alpha1
10.0.0-alpha3
10.0.0-alpha4
10.0.0-alpha5
10.1.0-alpha1
10.2.0
10.2.0-alpha1
10.2.0-beta1
10.2.0-rc1
10.2.1
10.2.10
10.2.2
10.2.3
10.2.4
10.2.5
10.2.6
10.2.7
10.2.8
10.2.9

8.*

8.0.0
8.1.0-beta1

9.*

9.0.0-alpha1
9.0.0-alpha2