drupal/core is vulnerable to remote code execution (RCE). A remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. The vulnerability extends to drupal/core as the application does not sufficiently validate user input when performing file operations on an untrusted phar://
URI, allowing remote attackers with administrative permissions to execute arbitrary code on the system.
CPE | Name | Operator | Version |
---|---|---|---|
drupal/core | le | 8.6.5 | |
drupal/core | le | 8.5.8 | |
drupal/drupal | le | 8.6.5 | |
drupal/drupal | le | 8.5.8 |