Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

Project:

Drupal core

Date:

2019-March-20

Security risk:

Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Cross Site Scripting

CVE IDs:

CVE-2019-6341

Description:

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Solution:

If you are using Drupal 8.6, update to Drupal 8.6.13.
If you are using Drupal 8.5 or earlier, update to Drupal 8.5.14.
If you are using Drupal 7, update to Drupal 7.65.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Reported By:

Sam Thomas

Fixed By:

Alex Pott of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Neil Drumm of the Drupal Security Team
Michael Hess of the Drupal Security Team
David Rothstein of the Drupal Security Team
Peter Wolanin of the Drupal Security Team

https://www.drupal.org/sa-core-2019-004