CVSS: 8.1EPSS: 97%CPEs: 2EXPL: 8CVE-2019-6340 – Drupal Core Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-6340
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.) Algunos tipos de campos no sanean correctamente los datos provenientes de fuentes "non-form" en Drupal en sus versiones 8.5.x anteriores a la 8.5.11 y en las versiones 8.6.x anteriores a la 8.6.10. • https://www.exploit-db.com/exploits/46510 https://www.exploit-db.com/exploits/46459 https://www.exploit-db.com/exploits/46452 https://github.com/jas502n/CVE-2019-6340 https://github.com/knqyf263/CVE-2019-6340 https://github.com/oways/CVE-2019-6340 https://github.com/DevDungeon/CVE-2019-6340-Drupal-8.6.9-REST-Auth-Bypass https://github.com/nobodyatall648/CVE-2019-6340 http://www.securityfocus.com/bid/107106 https://www.drupal.org/sa-core-2019-003 https://w • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6923 – Access bypass in Drupal 8 views
https://notcve.org/view.php?id=CVE-2017-6923
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them. En Drupal, en sus versiones 8.x anteriores a la 8.3.7, cuando se crea una vista se puede usar Ajax de manera opcional para actualizar los datos mostrados mediante parámetros filter. • http://www.securityfocus.com/bid/100368 http://www.securitytracker.com/id/1039200 https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 89%CPEs: 5EXPL: 0CVE-2019-6339 – PHAR stream wrapper Arbitrary PHP code execution
https://notcve.org/view.php?id=CVE-2019-6339
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration. En Drupal Core, en sus versiones 7.x anteriores a la 7.62, en las 8.6.x anteriores a la 8.6.6 y en las 8.5.x anteriores a la 8.5.9, existe una vulnerabilidad de ejecución remota de código en el wrapper de transmisión phar integrada del PHP cuando se ejecutan operaciones de archivo en un URI "phar://" no fiable. Algún código Drupal ("core", "contrib" y "custom") puede estar ejecutando operaciones de archivo en las entradas de usuarios no validadas de manera suficiente, lo que hace que estos se expongan a esta vulnerabilidad. • https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html https://www.debian.org/security/2019/dsa-4370 https://www.drupal.org/sa-core-2019-002 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-6922 – Files uploaded by anonymous users into a private file system can be accessed by other anonymous users
https://notcve.org/view.php?id=CVE-2017-6922
In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system. En Drupal core, en las versiones 8.x anteriores a la 8.3.4 y en las 7.x anteriores a la 7.56, los archivos privados subidos por un usuario anónimo que no estén conectados al contenido del sitio deberían ser visibles solo para el mismo usuario anónimo que los subió, en lugar de todos los usuarios anónimos. Anteriormente, Drupal core no disponía de esta protección, permitiendo que ocurriera una vulnerabilidad de omisión de acceso. • http://www.securityfocus.com/bid/99219 http://www.securitytracker.com/id/1038781 https://www.debian.org/security/2017/dsa-3897 https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 8.0EPSS: 0%CPEs: 5EXPL: 0CVE-2019-6338 – third-party PEAR Archive_Tar library updates
https://notcve.org/view.php?id=CVE-2019-6338
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details Drupal Core, en sus versiones 7.x anteriores a la 7.62, en las 8.6.x anteriores a la 8.6.6 y en las 8.5.x anteriores a la 8.5.9, utiliza la biblioteca "PEAR Archive_Tar" de terceros. Esta biblioteca ha publicado una actualización de seguridad que impacta en algunas configuraciones de Drupal. Véase CVE-2018-1000888 para más información. • http://www.securityfocus.com/bid/106706 https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html https://www.debian.org/security/2019/dsa-4370 https://www.drupal.org/sa-core-2019-001 • CWE-502: Deserialization of Untrusted Data •