CVE-2019-6340

Warnung

Exploit

EPSS 94.44%
Veröffentlicht 21.02.2019 21:29:00
Zuletzt bearbeitet 07.11.2025 19:36:49
Quelle mlhess@drupal.org
CVE-Watchlists
Login
Unerledigt
Login

Drupal core - Highly critical - Remote Code Execution

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 10

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Drupal ≫ Drupal Version >= 8.5.0 < 8.5.11

Drupal ≫ Drupal Version >= 8.6.0 < 8.6.10

25.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Drupal Core Remote Code Execution Vulnerability

Schwachstelle

In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.44%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H