This vulnerability in Drupal core (versions 11.3.0 before 11.3.7) is classified as CWE-79, which involves improper neutralization of input leading to Cross-Site Scripting (XSS). The flaw allows attackers to inject malicious scripts into web pages generated by Drupal, potentially impacting confidentiality and integrity of data viewed by users. The CVSS 3.1 vector indicates the attack can be performed remotely over the network with low attack complexity and no privileges required, but user interaction is needed. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes low confidentiality and integrity impact, with no availability impact. No official patch or vendor advisory is provided in the data, and no known exploits have been reported.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected Drupal site, potentially leading to information disclosure or manipulation of displayed content. The CVSS score of 6.1 reflects a medium severity with partial impact to confidentiality and integrity. There is no indication of availability impact. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided in the available data, users should monitor Drupal's official security advisories for updates. Until a fix is available, consider applying any recommended temporary mitigations from Drupal or restricting user input that could trigger XSS. Avoid relying on generic mitigations unless specifically advised by the vendor.