ASA-2019-00153 – Drupal: Upload of a file can trigger a Cross-Site Scripting (XSS) vulnerability

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00153

Identifier(s)

ASA-2019-00153, SA-CORE-2019-004, CVE-2019-6341

Title

Upload of a file can trigger a Cross-Site Scripting (XSS) vulnerability

Vendor(s)

Drupal Association

Product(s)

Drupal

Affected version(s)

Drupal 8.6
Drupal 8.5
Drupal 7

Fixed version(s)

Drupal 8.6.13
Drupal 8.5.14
Drupal 7.65

Proof of concept

Unknown

Description

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Technical details

Unknown

Credits

Zero Day Initiative

Reference(s)

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2019-004
https://www.drupal.org/sa-core-2019-004

SA-CORE-2019-004 by alexpott, larowlan, greggles, drumm, mlhess, David_Rothstein, pwolanin
https://github.com/drupal/core/commit/933f4f9d620af5807c4eb4ec17dc4eb4193a667c

CVE-2019-6341
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6341

CVE-2019-6341
https://nvd.nist.gov/vuln/detail/CVE-2019-6341

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 26, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.