Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
                
            References
                    | Link | Resource | 
|---|---|
| https://www.drupal.org/sa-core-2024-006 | Vendor Advisory | 
Configurations
                    Configuration 1 (hide)
| 
 | 
History
                    02 Jun 2025, 16:23
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time | Drupal Drupal drupal | |
| References | () https://www.drupal.org/sa-core-2024-006 - Vendor Advisory | |
| CPE | cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* | |
| CWE | CWE-502 | 
16 Dec 2024, 18:15
| Type | Values Removed | Values Added | 
|---|---|---|
| Summary | 
 | |
| Summary | (en) Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. | 
10 Dec 2024, 22:15
| Type | Values Removed | Values Added | 
|---|---|---|
| CVSS | v2 : v3 : | v2 : unknown v3 : 9.8 | 
10 Dec 2024, 00:15
| Type | Values Removed | Values Added | 
|---|---|---|
| New CVE | 
Information
                Published : 2024-12-10 00:15
Updated : 2025-06-02 16:23
NVD link : CVE-2024-55636
Mitre link : CVE-2024-55636
CVE.ORG link : CVE-2024-55636
JSON object : View
Products Affected
                drupal
- drupal
