Alex Pott

**Name of the Vulnerable Software and Affected Versions** Drupal versions 8.0.0 through 10.4.9 Drupal versions 10.5.0 through 10.5.6 Drupal versions 11.0.0 through 11.1.9 Drupal versions 11.2.0 through 11.2.8 **Description** An improper check for unusual or exceptional conditions exists in Drupal core, allowing for forceful browsing. This issue impacts the software's ability to handle unexpected input or situations, potentially leading to unauthorized access or information disclosure. **Recommendations** Update Drupal core to version 10.4.9 or later. Update Drupal core to version 10.5.6 or later. Update Drupal core to version 11.1.9 or later. Update Drupal core to version 11.2.8 or later.

Name of the Vulnerable Software and Affected Versions: Drupal Core versions 7.0 through 7.101 Drupal Core versions 8.0.0 through 10.2.10 Drupal Core versions 10.3.0 through 10.3.8 Description: The issue is related to the deserialization of untrusted data, which allows object injection. This can potentially lead to remote code execution if the application deserializes untrusted data due to another vulnerability. A gadget chain in Drupal core is exploitable when an insecure deserialization vulnerability exists, presenting a vector for remote code execution. The vulnerability is not directly exploitable and requires a separate vulnerability to allow an attacker to pass unsafe input to `unserialize()`. Recommendations: For versions 7.0 through 7.101, update to version 7.102 or later. For versions 8.0.0 through 10.2.10, update to version 10.2.11 or later. For versions 10.3.0 through 10.3.8, update to version 10.3.9 or later. As a temporary workaround, consider adding additional checks to the database code to help protect against this potential vulnerability. If using a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.