Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDrupal
APPDrupal7.0 – 7.102 (bez)8.0.0 – 10.2.11 (bez)10.3.0 – 10.3.9 (bez)
Related vulnerabilities
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentiall...
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to ex...
Deserializacja niezaufanych danych w Drupal Core umożliwia RCE
Deserialization podatności w Drupal Core umożliwiająca RCE (Object Injection)
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correct...