The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Drupal Core: Cross Site Scripting via File Module/Subsystem

Synthesis of the vulnerability 

An attacker can trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Impacted software: Debian, Drupal Core, Fedora, IBM API Connect, I-Connect, Synology DSM.
Severity of this computer vulnerability: 2/4.
Creation date: 20/03/2019.
Références of this announce: CVE-2019-6341, DLA-1746-1, DRUPAL-SA-CORE-2019-004, DSA-4412-1, FEDORA-2019-2fbce03df3, FEDORA-2019-35589cfcb5, ibm10879443, Synology-SA-19:13, VIGILANCE-VUL-28786, ZDI-19-291.

Description of the vulnerability 

The Core module can be installed on Drupal.

However, it does not filter received data via File Module/Subsystem before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat announce impacts software or systems such as Debian, Drupal Core, Fedora, IBM API Connect, I-Connect, Synology DSM.

Our Vigil@nce team determined that the severity of this cybersecurity alert is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this security alert.

Solutions for this threat 

Drupal Core: version 8.6.13.
The version 8.6.13 is fixed:
  https://www.drupal.org/project/drupal

Drupal Core: version 8.5.14.
The version 8.5.14 is fixed:
  https://www.drupal.org/project/drupal

Drupal Core: version 7.65.
The version 7.65 is fixed:
  https://www.drupal.org/project/drupal

Debian 8: new drupal7 packages.
New packages are available:
  Debian 8: drupal7 7.32-1+deb8u16

Debian 9: new drupal7 packages.
New packages are available:
  Debian 9: drupal7 7.52-2+deb9u7

Fedora: new drupal7 packages.
New packages are available:
  Fedora 28: drupal7 7.65-1.fc28
  Fedora 29: drupal7 7.65-1.fc29

IBM API Connect: patch for Drupal.
A patch is indicated in information sources.

Synology DSM Drupal: versions 7.65-0130 and 8.6.13-0014.
Versions 7.65-0130 and 8.6.13-0014 are fixed.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security bulletin. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.