Attacker Value
Moderate
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

Disclosure Date: March 26, 2019
CVE-2019-6341
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Add Assessment

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Low
Technical Analysis

XSS always requires extra effort in a pentest, it depends on the actual app being targeted, the user behaviors, privileges of users, etc. This will likely need a custom payload to be useful as well, leverage a browser exploit, etc.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
xss
Utility Class
other
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Zero Day Initiative
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • drupal,
  • fedoraproject

Products

  • debian linux 8.0,
  • drupal,
  • fedora 28,
  • fedora 29
Technical Analysis