N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-jjx7-8462-w4m4

EPSS Score

CWE

CWE-20

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-jjx7-8462-w4m4

GHSA-jjx7-8462-w4m4: Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution

The Contextual Links module doesn't sufficiently validate the requested contextual links. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-jjx7-8462-w4m4

EPSS Score

CWE

CWE-20

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
drupal/drupal	composer	>= 8.0.0, < 8.5.8	8.5.8
drupal/drupal	composer	>= 8.6.0, < 8.6.2	8.6.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input validation in contextual links processing. The ContextualController::renderLinks method handles user-submitted serialized data (via 'ids' parameter) to generate contextual links. The advisory indicates insufficient validation of these contextual links requests, which aligns with deserialization vulnerabilities (CWE-20). Drupal's patch would have addressed this by adding validation/sanitization before deserialization. The method's role in processing untrusted input and the RCE outcome strongly suggest this as the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ont*xtu*l Links mo*ul* *o*sn't su**i*i*ntly v*li**t* t** r*qu*st** *ont*xtu*l links. T*is vuln*r**ility is miti**t** *y t** ***t t**t *n *tt**k*r must **v* * rol* wit* t** p*rmission "****ss *ont*xtu*l links".

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in *ont*xtu*l links pro**ssin*. T** `*ont*xtu*l*ontroll*r::r*n**rLinks` m*t*o* **n*l*s us*r-su*mitt** s*ri*liz** **t* (vi* 'i*s' p*r*m*t*r) to **n*r*t* *ont*xtu*l links. T** **visory in*i**t*s in

N/A

Basic Information

Concerned about an active attack path?

GHSA-jjx7-8462-w4m4: Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI