cbcvebase.
CVE-2019-6341
published 2019-03-26

CVE-2019-6341: In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File…

PriorityP432medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
EPSS
12.41%
95.7th percentile
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Affected

16 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
drupalcore>= 7.0.0 < 7.65.07.65.0
drupalcore>= 8.0.0 < 8.5.148.5.14
drupalcore>= 8.6.0 < 8.6.138.6.13
drupaldrupal>= 7.0 < 7.657.65
drupaldrupal>= 7.0.0 < 7.65.07.65.0
drupaldrupal>= 8.0.0 < 8.5.148.5.14
drupaldrupal>= 8.5.0 < 8.5.148.5.14
drupaldrupal>= 8.6.0 < 8.6.138.6.13
drupaldrupal>= 8.6.0 < 8.6.138.6.13
drupaldrupal_core
drupaldrupal_core>= Drupal 7 < 7.657.65
drupaldrupal_core>= Drupal 8.5 < 8.5.148.5.14
drupaldrupal_core>= Drupal 8.6 < 8.6.138.6.13
fedoraprojectfedora
fedoraprojectfedora

CVSS provenance

nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.