N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-jjx7-8462-w4m4

EPSS Score

CWE

CWE-20

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-jjx7-8462-w4m4

GHSA-jjx7-8462-w4m4: Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution

The Contextual Links module doesn't sufficiently validate the requested contextual links. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-jjx7-8462-w4m4

GHSA-jjx7-8462-w4m4:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-jjx7-8462-w4m4

EPSS Score

CWE

CWE-20

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
drupal/drupal	composer	>= 8.0.0, < 8.5.8	8.5.8
drupal/drupal	composer	>= 8.6.0, < 8.6.2	8.6.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input validation in contextual links processing. The ContextualController::renderLinks method handles user-submitted serialized data (via 'ids' parameter) to generate contextual links. The advisory indicates insufficient validation of these contextual links requests, which aligns with deserialization vulnerabilities (CWE-20). Drupal's patch would have addressed this by adding validation/sanitization before deserialization. The method's role in processing untrusted input and the RCE outcome strongly suggest this as the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-jjx7-8462-w4m4: Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution

GHSA-jjx7-8462-w4m4:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-jjx7-8462-w4m4: Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI