-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability involves XSS via HTTP exceptions, indicating improper sanitization during error page generation. Drupal's DefaultExceptionHtmlSubscriber handles exception rendering. The createResponse method constructs the error page content using exception messages derived from user-controllable input (like URLs). Before 8.1.10, these messages were not properly escaped when passed to Twig templates, allowing script injection. The patch likely added escaping in this method, aligning with the CWE-79 XSS pattern in exception handling workflows.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/core | composer | >= 8.0, < 8.1.10 | 8.1.10 |
| drupal/drupal | composer | >= 8.0, < 8.1.10 | 8.1.10 |
Ongoing coverage of React2Shell