CVE-2019-6341
published 2019-03-26CVE-2019-6341: In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File…
PriorityP432medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
EPSS
12.41%
95.7th percentile
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| drupal | core | >= 7.0.0 < 7.65.0 | 7.65.0 |
| drupal | core | >= 8.0.0 < 8.5.14 | 8.5.14 |
| drupal | core | >= 8.6.0 < 8.6.13 | 8.6.13 |
| drupal | drupal | >= 7.0 < 7.65 | 7.65 |
| drupal | drupal | >= 7.0.0 < 7.65.0 | 7.65.0 |
| drupal | drupal | >= 8.0.0 < 8.5.14 | 8.5.14 |
| drupal | drupal | >= 8.5.0 < 8.5.14 | 8.5.14 |
| drupal | drupal | >= 8.6.0 < 8.6.13 | 8.6.13 |
| drupal | drupal | >= 8.6.0 < 8.6.13 | 8.6.13 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= Drupal 7 < 7.65 | 7.65 |
| drupal | drupal_core | >= Drupal 8.5 < 8.5.14 | 8.5.14 |
| drupal | drupal_core | >= Drupal 8.6 < 8.6.13 | 8.6.13 |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Drupal
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004
vendor_drupal·2019-03-20
CVE-2019-6341 [MEDIUM] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004
Title: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004
Vulnerability Type: Cross Site Scripting
Description: Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Solution: If you are using Drupal 8.6, update to Drupal 8.6.13 . If you are using Drupal 8.5 or earlier, update to Drupal 8.5.14 . If you are using Drupal 7, update to Drupal 7.65 . Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
GHSA
Drupal Cross Site Scripting (XSS) vulnerability
ghsa·2022-05-24
CVE-2019-6341 [MEDIUM] CWE-79 Drupal Cross Site Scripting (XSS) vulnerability
Drupal Cross Site Scripting (XSS) vulnerability
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File `module/subsystem` allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
OSV
Drupal Cross Site Scripting (XSS) vulnerability
osv·2022-05-24
CVE-2019-6341 [MEDIUM] Drupal Cross Site Scripting (XSS) vulnerability
Drupal Cross Site Scripting (XSS) vulnerability
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File `module/subsystem` allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
OSV
CVE-2019-6341: In Drupal 7 versions prior to 7
osv·2019-03-26·CVSS 5.4
CVE-2019-6341 [MEDIUM] CVE-2019-6341: In Drupal 7 versions prior to 7
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
OSV
CVE-2019-6341: Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerabi
osv·2019-03-20
CVE-2019-6341 CVE-2019-6341: Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerabi
Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-6341 drupal7: cross-site scripting vulnerability in module/subsystem [epel-all]
bugzilla·2019-03-27·CVSS 5.4
CVE-2019-6341 [MEDIUM] CVE-2019-6341 drupal7: cross-site scripting vulnerability in module/subsystem [epel-all]
CVE-2019-6341 drupal7: cross-site scripting vulnerability in module/subsystem [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2019-6341 drupal7: cross-site scripting vulnerability in module/subsystem [fedora-all]
bugzilla·2019-03-27·CVSS 5.4
CVE-2019-6341 [MEDIUM] CVE-2019-6341 drupal7: cross-site scripting vulnerability in module/subsystem [fedora-all]
CVE-2019-6341 drupal7: cross-site scripting vulnerability in module/subsystem [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppo
Bugzilla
CVE-2019-6341 drupal7: cross-site scripting vulnerability in module/subsystem
bugzilla·2019-03-27·CVSS 5.4
CVE-2019-6341 [MEDIUM] CVE-2019-6341 drupal7: cross-site scripting vulnerability in module/subsystem
CVE-2019-6341 drupal7: cross-site scripting vulnerability in module/subsystem
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Reference:
https://www.drupal.org/sa-core-2019-004
Discussion:
Created drupal7 tracking bugs for this issue:
Affects: fedora-all [bug 1693079]
Created drupal8 tracking bugs for this issue:
Affects: fedora-all [bug 1693080]
---
Created drupal7 tracking bugs for this issue:
Affects: epel-all [bug 1693081]
---
External References:
https://www.drupal.org/sa-core-2019-004
---
All dependent bugs are closed, can this tracking bug be closed as w
Bugzilla
CVE-2019-6341 drupal8: drupal7: cross-site scripting vulnerability in module/subsystem [fedora-all]
bugzilla·2019-03-27·CVSS 5.4
CVE-2019-6341 [MEDIUM] CVE-2019-6341 drupal8: drupal7: cross-site scripting vulnerability in module/subsystem [fedora-all]
CVE-2019-6341 drupal8: drupal7: cross-site scripting vulnerability in module/subsystem [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
https://lists.debian.org/debian-lts-announce/2019/04/msg00003.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS/https://www.drupal.org/sa-core-2019-004https://www.synology.com/security/advisory/Synology_SA_19_13https://lists.debian.org/debian-lts-announce/2019/04/msg00003.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS/https://www.drupal.org/sa-core-2019-004https://www.synology.com/security/advisory/Synology_SA_19_13
2019-03-26
Published