Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Drupal Core ‐ Remote Code Execution

 

Systems Affected


Drupal 8.6.x, 8.5.x or earlier versions

Threat Level


High


Overview


Allows remote attackers to execute arbitrary code because of not sanitizing data on some field types (CVE ID: CVE-2019-6340).


Description


An attacker can mount Different attacks since the data is not sanitized on some of the field types available on Drupal.
A site is only affected by this if one of the following conditions is met:
 The site using the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
(Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.)


Impact


  ✦  Temporary or permanent loss of the service.
  ✦  Disruption to regular operations.
  ✦  Financial losses incurred to restore systems and files.
  ✦  Potential harm to organization's reputation.


Solution/ Workarounds


  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.


References


https://www.drupal.org/sa-core-2019-003
https://www.us-cert.gov/ncas/current-activity/2019/02/21/Drupal-Releases-Security-Updates


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.