VulnerableCode Package Details - pkg:composer/drupal/core-recommended@10.3.9

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4jtc-4hr1-nkdh	Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases. This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.	CVE-2024-55638 GHSA-gvf2-2f4g-jqf4
VCID-5nbe-p67k-a3af	Drupal core Access bypass Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.	CVE-2024-55634 GHSA-7cwc-fjqm-8vh8
VCID-j5qe-6g2x-7kcw	Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.	CVE-2024-55636 GHSA-938f-5r4f-h65v
VCID-w7u4-yxfj-hyft	Drupal Core Cross-Site Scripting (XSS) Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.	CVE-2024-12393 GHSA-8mvq-8h2v-j9vf
VCID-z4u4-ub94-6bc5	Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.	CVE-2024-55637 GHSA-w6rx-9g2x-mg5g

Vulnerability

Summary

Aliases

VCID-4jtc-4hr1-nkdh

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases. This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.

CVE-2024-55638
GHSA-gvf2-2f4g-jqf4

VCID-5nbe-p67k-a3af

Drupal core Access bypass Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVE-2024-55634
GHSA-7cwc-fjqm-8vh8

VCID-j5qe-6g2x-7kcw

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVE-2024-55636
GHSA-938f-5r4f-h65v

VCID-w7u4-yxfj-hyft

Drupal Core Cross-Site Scripting (XSS) Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVE-2024-12393
GHSA-8mvq-8h2v-j9vf

VCID-z4u4-ub94-6bc5

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVE-2024-55637
GHSA-w6rx-9g2x-mg5g

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T12:09:42.735235+00:00	GithubOSV Importer	Fixing	VCID-5nbe-p67k-a3af	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-7cwc-fjqm-8vh8/GHSA-7cwc-fjqm-8vh8.json	36.1.3
2025-07-01T12:09:41.338176+00:00	GithubOSV Importer	Fixing	VCID-w7u4-yxfj-hyft	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-8mvq-8h2v-j9vf/GHSA-8mvq-8h2v-j9vf.json	36.1.3
2025-07-01T12:09:39.389891+00:00	GithubOSV Importer	Fixing	VCID-z4u4-ub94-6bc5	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-w6rx-9g2x-mg5g/GHSA-w6rx-9g2x-mg5g.json	36.1.3
2025-07-01T12:09:37.438767+00:00	GithubOSV Importer	Fixing	VCID-j5qe-6g2x-7kcw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-938f-5r4f-h65v/GHSA-938f-5r4f-h65v.json	36.1.3
2025-07-01T12:09:37.175078+00:00	GithubOSV Importer	Fixing	VCID-4jtc-4hr1-nkdh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-gvf2-2f4g-jqf4/GHSA-gvf2-2f4g-jqf4.json	36.1.3