CVE-2024-11942

Name of the Vulnerable Software and Affected Versions: Drupal Core versions 10.0.0 through 10.2.9

Description: A vulnerability in Drupal Core allows file manipulation. This issue is related to weaknesses in handling error situations, which could allow a remote attacker to impact the integrity of protected information. Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system, potentially allowing a malicious user to take down a site. The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.

Recommendations: For Drupal Core versions 10.0.0 through 10.2.9, update to version 10.2.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the CKEditor 5 module to minimize the risk of exploitation. Avoid using the module for image uploads until the issue is resolved.