CVE-2024-12393

Name of the Vulnerable Software and Affected Versions: Drupal Core versions 8.8.0 through 10.2.11 Drupal Core versions 10.3.0 through 10.3.9 Drupal Core versions 11.0.0 through 11.0.8

Description: The issue is related to insufficient protection of the web page structure, allowing an attacker to conduct a cross-site scripting (XSS) attack. This is due to improper neutralization of input during web page generation, which enables cross-site scripting. The problem affects Drupal Core, allowing attackers to exploit this flaw and leading to XSS.

Recommendations: For Drupal Core versions 8.8.0 through 10.2.11, update to version 10.2.11 or later. For Drupal Core versions 10.3.0 through 10.3.9, update to version 10.3.9 or later. For Drupal Core versions 11.0.0 through 11.0.8, update to version 11.0.8 or later. As a temporary workaround, consider restricting the use of JavaScript to render status messages in certain cases and configurations to minimize the risk of exploitation.