CVE-2024-55638: 
PHP vulnerability analysis and mitigation

Deserialization of Untrusted Data vulnerability (CVE-2024-55638) affects Drupal Core versions from 7.0 before 7.102, from 8.0.0 before 10.2.11, and from 10.3.0 before 10.3.9. The vulnerability was discovered and disclosed on December 9, 2024. The issue involves a chain of methods in Drupal core that becomes exploitable when an insecure deserialization vulnerability exists on the site (NVD).

The vulnerability is characterized as a gadget chain within Drupal core that can be leveraged for remote code execution when the application deserializes untrusted data. While this gadget chain itself presents no direct threat, it becomes a potential attack vector when combined with another vulnerability that allows untrusted data deserialization. The vulnerability has received a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CISA-ADP).

If exploited in conjunction with another vulnerability that enables untrusted data deserialization, this vulnerability could lead to remote code execution on the affected system. The high CVSS score indicates that successful exploitation could result in complete compromise of the system's confidentiality, integrity, and availability (NVD).

Users should upgrade to the following patched versions: Drupal 7.102 if using Drupal 7.x, Drupal 10.2.11 if using versions between 8.0.0 and 10.2.x, or Drupal 10.3.9 if using version 10.3.x (NVD).