Drupal Security Advisory for Moderately Critical Vulnerability (SA-CORE-2019-004)

Earlier today, Drupal published SA-CORE-2019-004, a security advisory that addresses a “moderately critical” vulnerability in Drupal core.

According to Drupal, the bug exists within the File module/subsystem that, under certain circumstances, could be abused by a malicious user when uploading a file. This upload would trigger a cross-site-scripting (XSS) vulnerability.

This vulnerability currently does not have a CVE identifier associated with it. However, public information suggests this vulnerability has a CVSS score of 6.1.

Exploitation of the bug requires the attacker to have user level permissions. Additionally, the bug affects default configurations for Drupal. However, there appears to be no in the wild exploitation of this bug as of yet. We anticipate there may be a proof of concept (POC) published for this bug in the coming days.

Drupal has released patches for Drupal 7 and Drupal 8. The following versions of Drupal address this vulnerability:

• Drupal 7.65
• Drupal 8.5.14
• Drupal 8.6.13

As a reminder, Drupal no longer provides security updates for older versions of Drupal 8 prior to 8.5.x.