CVE-2019-6341 : In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certa

In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Published 2019-03-26 18:29:01

Updated 2019-05-16 02:29:01

Source Drupal.org

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Exploit prediction scoring system (EPSS) score for CVE-2019-6341

Probability of exploitation activity in the next 30 days: 68.23%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 98 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-6341

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:P/A:N	6.8	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.4	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2019-6341

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-6341

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P/

[SECURITY] Fedora 28 Update: drupal8-8.6.13-1.fc28 - package-announce - Fedora Mailing-Lists
Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_19_13

Synology Inc.
https://www.drupal.org/sa-core-2019-004

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004 | Drupal.org
Patch;Vendor Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00003.html

[SECURITY] [DLA 1746-1] drupal7 security update
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS/

[SECURITY] Fedora 28 Update: drupal7-7.65-1.fc28 - package-announce - Fedora Mailing-Lists
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7/

[SECURITY] Fedora 29 Update: drupal8-8.6.13-1.fc29 - package-announce - Fedora Mailing-Lists
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX/

[SECURITY] Fedora 29 Update: drupal7-7.65-1.fc29 - package-announce - Fedora Mailing-Lists
Third Party Advisory

Products affected by CVE-2019-6341

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal
Versions from including (>=) 7.0 and before (<) 7.65
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal
Versions from including (>=) 8.6.0 and before (<) 8.6.13
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal
Versions from including (>=) 8.5.0 and before (<) 8.5.14
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 28
cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 29
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2019-6341

Exploit prediction scoring system (EPSS) score for CVE-2019-6341

CVSS scores for CVE-2019-6341

CWE ids for CVE-2019-6341

References for CVE-2019-6341

Products affected by CVE-2019-6341