Home > Cyber News > CVE-2019-6340: A New Highly Critical Flaw in Drupal
CYBER NEWS

CVE-2019-6340: A New Highly Critical Flaw in Drupal

by   |  Last Update:  |  0 Comments  

A new highly critical vulnerability, identified as CVE-2019-6340, was just discovered in Drupal, and luckily it’s already fixed in the latest version of the content management system.

If you are running Drupal 7, no core update is required, but you may need to update contributed modules if you are using an affected module. We are unable to provide the list of those modules at this time, Drupal said in the security advisory.




CVE-2019-6340 Technical Resume

CVE-2019-6340 is a remote code execution flaw in Drupal Core that could lead to arbitrary PHP code execution in specific cases. Not enough technical details are available about the vulnerability. What is known is that the flaw is triggered because some field types do not properly sanitize data from non-form sources. The bug affects Drupal 7 and Drupal 8, the team said.

A website based on Drupal is only exploitable in case the RESTful Web Services (rest) module is enabled allowing PATCH or POST requests. The flaw is also triggered when another web service module is enabled.

How can CVE-2019-6340 be mitigated?

To mitigate the vulnerability, affected users can disable all web services modules, or configure their web server(s) to not allow PUT/PATCH/POST requests to web services resources. Keep in mind that web services resources may be available on multiple paths depending on the configuration of the corresponding server(s).

For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/, the advisory said.

Related: [wplinkpreview url=”https://sensorstechforum.com/cve-2018-7600-drupal-bug-used-new-attack/”]CVE-2018-7600 Drupal Bug Used in New Attack

Another remote code execution bug in Drupal, called Drupalgeddon2, was exploited in October last year. An unknown criminal collective was taking advantage of an old security bug tracked in the CVE-2018-7600 advisory which was previously patched in 2017. This intrusion attempt was called the Drupalgeddon2 attack and according to the available research, it allowed hackers to exploit vulnerable sites and take total control, including access to private data.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Related posts:
  1. CVE-2018-7602 Highly Critical Drupal Bug Actively Exploited in the Wild Drupalgeddon continues with one more remote code execution bug has...
  2. Adobe Patches 112 Vulnerabilities in Latest Patch Package (CVE-2018-5007) Adobe has released the latest patch package that addresses a...
  3. CVE-2018-14773 Symfony Flaw Affects Drupal Versions 8.x-8.5.6 A new vulnerability has been discovered, CVE-2018-14773, that affects Drupal,...
  4. CVE-2018-7600 Critical Drupal Bug Puts Millions of Websites at Risk The popular CMS system Drupal has been found to contain...
  5. CVE-2018-7600 Drupal Bug Used in New Attack Computer hackers are abusing the CVE-2018-7600 Drupal vulnerability using a...
  6. Who Runs Outdated WordPress and Drupal Versions? Corporations! If you’re running an outdated WordPress, Drupal or some other...
  7. “Drupal” Ransomware Uses SQL Injection to Lock Drupal Websites “Website is locked. Please transfer 1.4 BitCoin to address 3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9...
  8. CVE-2019-1867: Highly Critical Bug in Cisco Elastic Services Controller Cisco has patched yet another critical vulnerability outlined as CVE-2019-1867....

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree