CVE-2023-5256
HIGHDrupal 8.7.0-9.5.10 - Unauthenticated Sensitive Information Exposure via JSON:API Error Backtrace
Title source: llmDescription
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.
References (1)
Core 1
Core References
Vendor Advisory
https://www.drupal.org/sa-core-2023-006
Scores
CVSS v3
7.5
EPSS
0.0129
EPSS Percentile
79.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-200
Status
published
Products (2)
drupal/core
8.7.0 - 9.5.11Packagist
drupal/drupal
8.7.0 - 9.5.11
Published
Sep 28, 2023
Tracked Since
Feb 18, 2026