CVE-2023-5256

Published: Sep 28, 2023

Modified: Sep 23, 2024

PUBLISHED

Description

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.

Vendor	Product	Versions
Drupal	Core	affected `10.1 - <= 10.1.4` affected `10.0 - <= 10.0.11` affected `9.5 - <= 9.5.11`

Weaknesses (CWE)

CWE-200

References

https://www.drupal.org/sa-core-2023-006

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-5256

Description

Affected Products

Weaknesses (CWE)

References