Drupal Core ‐ Remote Code Execution

  • CERT Admin
  • Thu Feb 21 2019
  • Alerts

Systems Affected 

Drupal 8.6.x, 8.5.x or earlier versions

Threat Level



Allows remote attackers to execute arbitrary code because of not sanitizing data on some field types (CVE ID: CVE-2019-6340)


An attacker can mount Different attacks since the data is not sanitized on some of the field types available on Drupal.

A site is only affected by this if one of the following conditions is met:
The site using the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

(Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.)


  ✦  Temporary or permanent loss of the service.
  ✦  Disruption to regular operations.
  ✦  Financial losses incurred to restore systems and files.
  ✦  Potential harm to organization's reputation.

Solution/ Workarounds 

  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.




The information provided herein is on "as is" basis, without warranty of any kind. 

Last updated: Thu Feb 21 2019