{"id":"CVE-2019-6340","details":"Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)","aliases":["DRUPAL-CORE-2019-003","GHSA-3gx6-h57h-rm27"],"modified":"2026-04-10T04:19:45.068353Z","published":"2019-02-21T21:29:00.343Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340"},{"type":"ADVISORY","url":"https://www.synology.com/security/advisory/Synology_SA_19_09"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/107106"},{"type":"ADVISORY","url":"https://www.drupal.org/sa-core-2019-003"},{"type":"FIX","url":"https://www.exploit-db.com/exploits/46452/"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/46459/"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/46510/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"b73ab73d39dca97a12513e8a9e4f4da4b0676f5f"},{"fixed":"41adc71929319a82ab6b894b410be74d6ad40ad5"},{"introduced":"9b04d294324d9c76be4b596de4316cb8804e8223"},{"fixed":"f4490205b801e91bc77d3b09dcba903e7b35a146"}],"database_specific":{"versions":[{"introduced":"8.5.0"},{"fixed":"8.5.11"},{"introduced":"8.6.0"},{"fixed":"8.6.10"}]}}],"versions":["8.5.0","8.5.10","8.5.4","8.5.5","8.5.7","8.5.8","8.5.9","8.6.0","8.6.1","8.6.3","8.6.4","8.6.5","8.6.8","8.6.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-6340.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}