Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

CVE-2019-6341
5.4MEDIUM

Key Information

Vendor
Drupal
Status
Drupal Core
Vendor
CVE Published:
26 March 2019

Summary

In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Affected Version(s)

Drupal core < 7.65

Drupal core < 8.6.13

Drupal core < 8.5.14

EPSS Score

65% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published.

  • Vulnerability Reserved.

Collectors

NVD DatabaseMitre Database
.