1. CVE-Search
  2. CVE-2019-6340
ID CVE-2019-6340
Summary Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
References
Vulnerable Configurations
  • cpe:2.3:a:drupal:drupal:8.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.0:-:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.0:-:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.8:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.8:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.9:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.9:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.5.10:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.5.10:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.0:-:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.0:-:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.5:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.6:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.6:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.7:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.7:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.8:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.8:*:*:*:*:*:*:*
  • cpe:2.3:a:drupal:drupal:8.6.9:*:*:*:*:*:*:*
    cpe:2.3:a:drupal:drupal:8.6.9:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 24-08-2020 - 17:37)
Impact:
Exploitability:
CWE CWE-502
CAPEC
  • Object Injection
    An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
refmap via4
bid 107106
confirm
exploit-db
  • 46452
  • 46459
  • 46510
saint via4
bid 107106
description Drupal REST module command execution
id web_cms_drupal
title drupal_rest
type remote
Last major update 24-08-2020 - 17:37
Published 21-02-2019 - 21:29
Last modified 24-08-2020 - 17:37
Back to Top