Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)

The Drupal CMS installed on the remote host is affected by a remote command execution vulnerability. A remote, unauthenticated attacker can leverage this issue to execute arbitrary commands on the remote host.

Drupal Security Team

Some field types do not properly sanitize data from non-form sources.
This can lead to arbitrary PHP code execution in some cases..

According to its self-reported version, the instance of Drupal running on the remote web server is 8.5.x prior to 8.5.11 or 8.6.x prior to 8.6.10. It is, therefore, affected by a remote code execution vulnerability due to improper sanitization of data from non-form sources.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Drupal installed on the remote server is 8.6.x prior to 8.6.10, and is affected by a flaw in the 'Memcache::getextendedstats' function that can be used to trigger an out-of-bounds read. Exploiting this issue requires control over memcached server hostnames and/or ports. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code.

The version of Drupal installed on the remote server is 8.5.x prior to 8.5.11, and is affected by a flaw in the 'Memcache::getextendedstats' function that can be used to trigger an out-of-bounds read. Exploiting this issue requires control over memcached server hostnames and/or ports. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code.

According to its self-reported version, the instance of Drupal running on the remote web server is 8.5.x prior to 8.5.11, or 8.6.x prior to 8.6.10. It is, therefore, affected by a remote code execution vulnerability due to improper sanitization of data from non-form sources.

ID	Name	Product	Family	Severity
122449	Drupal Remote Code Execution Vulnerability (SA-CORE-2019-003) (exploit)	Nessus	CGI abuses	high
122372	FreeBSD : drupal -- Drupal core - Highly critical - Remote Code Execution (002b4b05-35dd-11e9-94a8-000ffec0b3e1)	Nessus	FreeBSD Local Security Checks	high
98589	Drupal 8.6.x < 8.6.10 Remote Code Execution Vulnerability	Web App Scanning	Component Vulnerability	high
98588	Drupal 8.5.x < 8.5.11 Remote Code Execution Vulnerability	Web App Scanning	Component Vulnerability	high
700420	Drupal 8.6.x < 8.6.10 RCE (SA-CORE-2019-003)	Nessus Network Monitor	CGI	critical
700419	Drupal 8.5.x < 8.5.11 RCE (SA-CORE-2019-003)	Nessus Network Monitor	CGI	critical
122349	Drupal 8.5.x < 8.5.11 / 8.6.x < 8.6.10 Remote Code Execution (SA-CORE-2019-003)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2019-6340

high

Tenable Plugins

high

high

high

high

critical

critical

high