Fixed Intel

CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation Deadline: Apr 15, 2022

CVE-2019-6340

High
CVSS 8.1EPSS 94.4%CISA KEVPoC Available
Drupal/Core

Description

In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

CVSS Score

8.1/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS — Exploit Probability

94.4%

Higher than 100.0% of all CVEs

Weakness Classification (CWE)

CWE-502Deserialization of Untrusted DataMITRE

Known Exploits

POC
https://www.exploit-db.com/exploits/46459/Exploithttps://www.exploit-db.com/exploits/46510/Exploithttps://www.exploit-db.com/exploits/46459/Exploithttps://www.exploit-db.com/exploits/46510/Exploit

Required Action

https://nvd.nist.gov/vuln/detail/CVE-2019-6340

Risk Assessment

CRITICAL
In CISA KEV
Known exploit
High EPSS

Details

Severity
High
CVSS
8.1
EPSS
94.4%
CWE
CWE-502
Exploit
POC
CISA KEV
Yes
Ransomware
Unknown
Articles
0

Timeline

Published

Mar 25, 2022

Added to KEV

Mar 25, 2022

Remediation Due

Apr 15, 2022

Affected Product

Drupal

Core

View all Drupal CVEs

External Links

NVD (NIST)CVE DetailsMITRE CVE