Lucene search

Veracode Vulnerability DatabaseVERACODE:13550

HistoryMar 27, 2019 - 5:22 a.m.

Cross-site Scripting (XSS)

2019-03-2705:22:42

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

JSON

drupal/core is vulnerable to cross-site scripting (XSS) attacks. The vulnerability exists due to the lack of validation of UTF8 on the filename, allowing a remote attacker to inject arbitrary Javascript into a victim’s browser.

CPENameOperatorVersion
drupal/corele8.5.13
drupal/corele8.6.12

CPE	Name	Operator	Version
	drupal/core	le	8.5.13
	drupal/core	le	8.6.12

References

github.com/drupal/drupal/commit/18de5d6000f604731bcb5ed99901b8f918b9ed1b

github.com/drupal/drupal/commit/82307e02cf974d48335e723c93dfe343894e1a61

www.drupal.org/sa-core-2019-004

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

JSON

Related for VERACODE:13550