Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

Project:

Drupal core

Date:

2019-March-20

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Cross Site Scripting

Affected versions:

>=7.0 <7.65 || >= 8.0.0 <8.5.14 || >=8.6.0 <8.6.13

CVE IDs:

CVE-2019-6341

Description:

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Solution:

If you are using Drupal 8.6, update to Drupal 8.6.13.
If you are using Drupal 8.5 or earlier, update to Drupal 8.5.14.
If you are using Drupal 7, update to Drupal 7.65.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Reported By:

Sam Thomas

Fixed By:

Alex Pott of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Neil Drumm of the Drupal Security Team
Michael Hess of the Drupal Security Team
David Rothstein of the Drupal Security Team
Peter Wolanin of the Drupal Security Team

Contribution record

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community