AttackerKBAKB:37A85320-AE35-4D19-9118-F2379C9DAAC5Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Recent assessments:
busterb at May 09, 2019 5:57pm UTC reported:
XSS always requires extra effort in a pentest, it depends on the actual app being targeted, the user behaviors, privileges of users, etc. This will likely need a custom payload to be useful as well, leverage a browser exploit, etc.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 2
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6341
github.com/drupal/drupal/commit/82307e02cf974d48335e723c93dfe343894e1a61
lists.debian.org/debian-lts-announce/2019/04/msg00003.html
lists.fedoraproject.org/archives/list/[email protected]/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7
lists.fedoraproject.org/archives/list/[email protected]/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX
lists.fedoraproject.org/archives/list/[email protected]/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P
lists.fedoraproject.org/archives/list/[email protected]/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS
security.stackexchange.com/questions/173180/explanation-of-illegal-multi-byte-encoding-leading-to-xss
www.drupal.org/sa-core-2019-004
www.synology.com/security/advisory/Synology_SA_19_13
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N