CVE-2019-6340
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
CISA KEV
- Vendor
- Drupal
- Product
- Core
- Due date
- 2022-04-15
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2019-6340
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | drupal/core | >=8.0.0,<8.5.11||>=8.6.0,<8.6.10 | 8.5.11 |
| Packagist | drupal/core | >=8.6.0,<8.6.10 | 8.6.10 |
| Packagist | drupal/core | >=7.0.0,<7.62.0 | 7.62.0 |
| Packagist | drupal/core | >=8.0.0,<8.5.11 | 8.5.11 |
| Packagist | drupal/drupal | >=7.0.0,<7.62.0 | 7.62.0 |
| Packagist | drupal/drupal | >=8.0.0,<8.5.11 | 8.5.11 |
| Packagist | drupal/drupal | >=8.6.0,<8.6.10 | 8.6.10 |
References
- https://www.drupal.org/sa-core-2019-003
- https://nvd.nist.gov/vuln/detail/CVE-2019-6340
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yaml
- https://github.com/drupal/drupal
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340
- https://www.exploit-db.com/exploits/46452
- https://www.exploit-db.com/exploits/46459
- https://www.exploit-db.com/exploits/46510
- https://www.synology.com/security/advisory/Synology_SA_19_09
Verify integrity in audit chain (admin only). AS-IS.