Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

Affected Packages

Packagist drupal/core

Affected versions: 8.8.0 (fixed in 10.2.11)

Packagist drupal/core

Affected versions: 10.3.0 (fixed in 10.3.9)

Packagist drupal/core

Affected versions: 11.0.0 (fixed in 11.0.8)

Packagist drupal/core-recommended

Affected versions: 8.8.0 (fixed in 10.2.11)

Packagist drupal/core-recommended

Affected versions: 10.3.0 (fixed in 10.3.9)

Packagist drupal/core-recommended

Affected versions: 11.0.0 (fixed in 11.0.8)

Packagist drupal/drupal

Affected versions: 8.8.0 (fixed in 10.2.11)

Packagist drupal/drupal

Affected versions: 10.3.0 (fixed in 10.3.9)

Packagist drupal/drupal

Affected versions: 11.0.0 (fixed in 11.0.8)

Related CVEs

CVE-2024-12393

Key Information

GHSA ID

GHSA-8mvq-8h2v-j9vf

Published

December 10, 2024 12:31 AM

Last Modified

June 4, 2025 12:38 AM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

drupal/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.