{"id":"DRUPAL-CORE-2024-002","details":"Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.\n\nThe issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.","aliases":["BIT-drupal-2024-11942","CVE-2024-11942","GHSA-52jr-x6h6-xj6g"],"modified":"2025-12-10T23:40:59.635498Z","published":"2024-10-16T16:27:27Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-core-2024-002"}],"affected":[{"package":{"name":"drupal/core","ecosystem":"Packagist","purl":"pkg:composer/drupal/core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10.0.0"},{"fixed":"10.2.10"}],"database_specific":{"constraint":"\u003e=10.0 \u003c 10.2.10"}}],"versions":["10.0.0","10.0.1","10.0.10","10.0.11","10.0.2","10.0.3","10.0.4","10.0.5","10.0.6","10.0.7","10.0.8","10.0.9","10.1.0","10.1.0-alpha1","10.1.0-beta1","10.1.0-rc1","10.1.1","10.1.2","10.1.3","10.1.4","10.1.5","10.1.6","10.1.7","10.1.8","10.2.0","10.2.0-alpha1","10.2.0-beta1","10.2.0-rc1","10.2.1","10.2.2","10.2.3","10.2.4","10.2.5","10.2.6","10.2.7","10.2.8","10.2.9"],"database_specific":{"affected_versions":"\u003e=10.0 \u003c 10.2.10","source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2024-002.json"}}],"schema_version":"1.7.3","credits":[{"name":"Pierre Rudloff","contact":["https://www.drupal.org/user/3611858"]}]}