8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.) Updates 2019-02-22: Updated risk score given new information; see PSA-2019-02-22. The security risk score has been updated to 23/25 as there are now known exploits in the wild. In addition, any enabled REST resource end-point, even if it only accepts GET requests, is also vulnerable. Note this does not include REST exports from Views module.
www.drupal.org/project/drupal/releases/8.5.11
www.drupal.org/project/drupal/releases/8.6.10
www.drupal.org/project/jsonapi
www.drupal.org/project/restws
www.drupal.org/project/services
www.drupal.org/psa-2019-02-22
www.drupal.org/user/102818
www.drupal.org/user/1037976
www.drupal.org/user/107158
www.drupal.org/user/108450
www.drupal.org/user/157725
www.drupal.org/user/16747
www.drupal.org/user/183211
www.drupal.org/user/199102
www.drupal.org/user/214652
www.drupal.org/user/227761
www.drupal.org/user/2287430
www.drupal.org/user/240860
www.drupal.org/user/2582268
www.drupal.org/user/266527
www.drupal.org/user/3064
www.drupal.org/user/325866
www.drupal.org/user/395439
www.drupal.org/user/421070
www.drupal.org/user/49851
www.drupal.org/user/61114
www.drupal.org/user/65776
www.drupal.org/user/78040
www.drupal.org/user/99340
www.drupal.org/user/99777
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%