Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

CVE-2019-6341

5.4MEDIUM

Key Information

Vendor: Drupal
Status: Drupal Core
Vendor: CVE Published:; 26 March 2019

Summary

In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Affected Version(s)

Drupal core < 7.65

Drupal core < 8.6.13

Drupal core < 8.5.14

Refferences

https://www.drupal.org/sa-core-2019-004

x_refsource_CONFIRM

https://lists.debian.org/debian-lts-announce/2019/04/msg0...

mailing-listx_refsource_MLIST

https://www.synology.com/security/advisory/Synology_SA_19_13

x_refsource_CONFIRM

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

EPSS Score

57% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 26, 2019
Vulnerability Reserved
Jan 15, 2019

Collectors

NVD DatabaseMitre Database

.