Drupal Core - Remote Code Execution (CVE-2019-6340)

Name: Drupal Core - Remote Code Execution (CVE-2019-6340)
Published: 2022-07-06T00:00:00.000Z

Severity
CVE: CVE-2019-6340
CVSSv3 Score: 8.1
Exploitable with Sniper: Yes
Vulnerability description: Drupal Core is affected by a Remote Code Execution vulnerability. The root cause of this vulnerability consists in the insufficient sanitization of user input that is sent through non-form sources. This allows a malicious unauthenticated attacker to execute arbitrary code on the server.
Exploit capabilities: Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.
Risk description: The risk exists that a remote unauthenticated attacker can fully compromise the server in order to steal confidential information, install ransomware or pivot to the internal network.
Recommendation: Upgrade Drupal Core to version 8.5.11 or above for Drupal Core 8.5.x or to version 8.6.10 or above for Drupal Core 8.6.x.
References: https://nvd.nist.gov/vuln/detail/CVE-2019-6340
Detectable with: Network Scanner
Vuln date: Feb 2019
Published at: Jul 2022
Updated at: Jul 2022
Software Type: CMS
Vendor: Drupal Community
Product: Drupal Core
Codename: Not available