CVE-2019-6341

In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Published: Mar 26, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-6341
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
drupal / drupal	7.0	7.65
drupal / drupal	8.5.0	8.5.14
drupal / drupal	8.6.0	8.6.13
debian / debian_linux	8.0	8.0.x
fedoraproject / fedora	28	28.x
fedoraproject / fedora	29	29.x

https://lists.debian.org/debian-lts-announce/2019/04/msg00003.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7/
https://lists.fedoraproject.org/archives/list/[email protected]/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX/
https://lists.fedoraproject.org/archives/list/[email protected]/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P/
https://lists.fedoraproject.org/archives/list/[email protected]/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS/
https://www.drupal.org/sa-core-2019-004
https://www.synology.com/security/advisory/Synology_SA_19_13

Vulnerability Database

289,782

CVE-2019-6341