CVE-2019-6340: A New Highly Critical Flaw in Drupal
NEWS

CVE-2019-6340: A New Highly Critical Flaw in Drupal

A new highly critical vulnerability, identified as CVE-2019-6340, was just discovered in Drupal, and luckily it’s already fixed in the latest version of the content management system.

If you are running Drupal 7, no core update is required, but you may need to update contributed modules if you are using an affected module. We are unable to provide the list of those modules at this time, Drupal said in the security advisory.




CVE-2019-6340 Technical Resume

CVE-2019-6340 is a remote code execution flaw in Drupal Core that could lead to arbitrary PHP code execution in specific cases. Not enough technical details are available about the vulnerability. What is known is that the flaw is triggered because some field types do not properly sanitize data from non-form sources. The bug affects Drupal 7 and Drupal 8, the team said.

A website based on Drupal is only exploitable in case the RESTful Web Services (rest) module is enabled allowing PATCH or POST requests. The flaw is also triggered when another web service module is enabled.

How can CVE-2019-6340 be mitigated?

To mitigate the vulnerability, affected users can disable all web services modules, or configure their web server(s) to not allow PUT/PATCH/POST requests to web services resources. Keep in mind that web services resources may be available on multiple paths depending on the configuration of the corresponding server(s).

For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/, the advisory said.

Related:
Computer hackers are abusing the CVE-2018-7600 Drupal vulnerability using a new exploit called Drupalgeddon2 to take down sites
CVE-2018-7600 Drupal Bug Used in New Attack

Another remote code execution bug in Drupal, called Drupalgeddon2, was exploited in October last year. An unknown criminal collective was taking advantage of an old security bug tracked in the CVE-2018-7600 advisory which was previously patched in 2017. This intrusion attempt was called the Drupalgeddon2 attack and according to the available research, it allowed hackers to exploit vulnerable sites and take total control, including access to private data.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...