Allele Security Alert
ASA-2019-00153
Identifier(s)
ASA-2019-00153, SA-CORE-2019-004, CVE-2019-6341
Title
Upload of a file can trigger a Cross-Site Scripting (XSS) vulnerability
Vendor(s)
Drupal Association
Product(s)
Drupal
Affected version(s)
Drupal 8.6
Drupal 8.5
Drupal 7
Fixed version(s)
Drupal 8.6.13
Drupal 8.5.14
Drupal 7.65
Proof of concept
Unknown
Description
Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Technical details
Unknown
Credits
Zero Day Initiative
Reference(s)
Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2019-004
https://www.drupal.org/sa-core-2019-004
SA-CORE-2019-004 by alexpott, larowlan, greggles, drumm, mlhess, David_Rothstein, pwolanin
https://github.com/drupal/core/commit/933f4f9d620af5807c4eb4ec17dc4eb4193a667c
CVE-2019-6341
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6341
CVE-2019-6341
https://nvd.nist.gov/vuln/detail/CVE-2019-6341
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 26, 2019