CVE-2019-6340
Description
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
EPSS (Exploit Prediction Scoring System)
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score Trend (Last 90 Days)
Deserialization of Untrusted Data
DraftCommon Consequences
Applicable Platforms
Drupal < 8.6.10 / < 8.5.11 - REST …
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution
View Exploit Code →Drupal < 8.6.9 - REST Module Remote Code …
Drupal < 8.6.9 - REST Module Remote Code Execution
View Exploit Code →Drupal < 8.5.11 / < 8.6.10 - RESTful …
Verified RemoteDrupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
View Exploit Code →Drupal by Drupal
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Drupal by Drupal
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*