Menon

**Name of the Vulnerable Software and Affected Versions** Drupal core versions 8.0.0 through 10.5.8 Drupal core versions 10.6.0 through 10.6.6 Drupal core versions 11.0.0 through 11.2.10 Drupal core versions 11.3.0 through 11.3.6 **Description** Drupal core allows Object Injection due to improperly controlled modification of dynamically-determined object attributes. This issue involves a gadget chain—a sequence of existing code fragments—that can be leveraged to achieve remote code execution or SQL injection if the application deserializes untrusted data via the `unserialize()` function due to a separate vulnerability. This issue is not directly exploitable on its own. **Recommendations** Update versions 8.0.0 through 10.5.8 to 10.5.9. Update versions 10.6.0 through 10.6.6 to 10.6.7. Update versions 11.0.0 through 11.2.10 to 11.2.11. Update versions 11.3.0 through 11.3.6 to 11.3.7.