Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/107106 | Third Party Advisory VDB Entry |
https://www.drupal.org/sa-core-2019-003 | Mitigation Vendor Advisory |
https://www.exploit-db.com/exploits/46452/ | Patch Third Party Advisory VDB Entry |
https://www.exploit-db.com/exploits/46459/ | Exploit Third Party Advisory VDB Entry |
https://www.exploit-db.com/exploits/46510/ | Exploit Third Party Advisory |
https://www.synology.com/security/advisory/Synology_SA_19_09 | Third Party Advisory |
http://www.securityfocus.com/bid/107106 | Third Party Advisory VDB Entry |
https://www.drupal.org/sa-core-2019-003 | Mitigation Vendor Advisory |
https://www.exploit-db.com/exploits/46452/ | Patch Third Party Advisory VDB Entry |
https://www.exploit-db.com/exploits/46459/ | Exploit Third Party Advisory VDB Entry |
https://www.exploit-db.com/exploits/46510/ | Exploit Third Party Advisory |
https://www.synology.com/security/advisory/Synology_SA_19_09 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 04:46
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.securityfocus.com/bid/107106 - Third Party Advisory, VDB Entry | |
References | () https://www.drupal.org/sa-core-2019-003 - Mitigation, Vendor Advisory | |
References | () https://www.exploit-db.com/exploits/46452/ - Patch, Third Party Advisory, VDB Entry | |
References | () https://www.exploit-db.com/exploits/46459/ - Exploit, Third Party Advisory, VDB Entry | |
References | () https://www.exploit-db.com/exploits/46510/ - Exploit, Third Party Advisory | |
References | () https://www.synology.com/security/advisory/Synology_SA_19_09 - Third Party Advisory |
Information
Published : 2019-02-21 21:29
Updated : 2024-11-21 04:46
NVD link : CVE-2019-6340
Mitre link : CVE-2019-6340
CVE.ORG link : CVE-2019-6340
JSON object : View
Products Affected
drupal
- drupal
CWE
CWE-502
Deserialization of Untrusted Data