Mageni Mageni Security LLC

Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

Drupal RCE Vulnerability (SA-CORE-2019-003) (Active Check)

Information

Severity

Severity

Medium

Family

Family

Web application abuses

CVSSv2 Base

CVSSv2 Base

6.8

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Solution Type

Solution Type

Vendor Patch

Created

Created

5 years ago

Modified

Modified

5 years ago

Share

Summary

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

Insight

Insight

A site is only affected by this if one of the following conditions is met: - The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or - the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

Affected Software

Affected Software

Drupal 8.5.x and 8.6.x.

Detection Method

Detection Method

Sends a crafted HTTP POST request and checks the response.

Solution

Solution

Update to version 8.5.11, 8.6.10 or later.

Common Vulnerabilities and Exposures (CVE)

References