CVE-2019-6341
MEDIUMDrupal 7 < 7.65 - Cross-Site Scripting via File Upload
Title source: llmDescription
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
References (7)
Core 7
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/sa-core-2019-004
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/04/msg00003.html
Vendor Advisory x_refsource_confirm
https://www.synology.com/security/advisory/Synology_SA_19_13
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7/
Scores
CVSS v3
5.4
EPSS
0.4648
EPSS Percentile
97.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (6)
debian/debian_linux
8.0
drupal/core
7.0.0 - 7.65.0Packagist
drupal/drupal
7.0 - 7.65
drupal/drupal
7.0.0 - 7.65.0Packagist
fedoraproject/fedora
28
fedoraproject/fedora
29
Published
Mar 26, 2019
Tracked Since
Feb 18, 2026