Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.
If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.
This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.
Install the latest version:
If you are using Drupal 10.0, update to Drupal 10.0.5.
If you are using Drupal 9.5, update to Drupal 9.5.5.
If you are using Drupal 9.4, update to Drupal 9.4.12.
If you are using Drupal 7, update to Drupal 7.95.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Elar Lang
Lee Rowlands of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Joseph Zhao Provisional Member of the Drupal Security Team
Drew Webber of the Drupal Security Team
Jen Lampton Provisional Member of the Drupal Security Team
Nate Lampton
Greg Knaddison of the Drupal Security Team
More Stories
CyberDanube Security Research 20240919-0 | Multiple Vulnerabilities in Netman204
Posted by Thomas Weber via Fulldisclosure on Sep 23 CyberDanube Security Research 20240919-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| Netman 204...
Submit Exploit CVE-2024-42831
Posted by arfaoui haythem on Sep 23 # Exploit Title: Reflected XSS in Elaine's Realtime CRM Automation v6.18.17 # Date:...
USN-7021-2: Linux kernel vulnerabilities
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This...
USN-7029-1: Linux kernel vulnerabilities
Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could...
USN-7007-3: Linux kernel vulnerabilities
Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could...
USN-6999-2: Linux kernel vulnerabilities
Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could...