Synology-SA-19:13 Drupal
Publish Time: 2019-03-26 17:27:02 UTC+8
Last Updated: 2019-05-15 17:46:31 UTC+8
- Severity
- Moderate
- Status
- Resolved
Abstract
A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Drupal.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| Drupal | Moderate | Upgrade to 7.65-0130 or above. |
| Drupal 8 | Moderate | Upgrade to 8.6.13-0014 or above. |
Mitigation
None
Detail
- CVE-2019-6341
- Severity: Moderate
- CVSS3 Base Score: 4.7
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
- In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Reference
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2019-03-26 | Initial public release. |
| 2 | 2019-05-15 | - Disclosed vulnerability details. - Update for Drupal and Drupa8 are now available in Affected Products. |