Strike ID:
E19-0vlf1
CVSS:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
False Positive:
t
Variants:
2
Year:
2019

Description

A remote code execution vulnerability exists in Drupal 7.x before 7.62, Drupal 8.5.x before 8.5.9 and Drupal 8.6.x before 8.6.6. The vulnerability is located within the PHPs built-in phar stream wrapper, when performing file operations on an untrusted phar:// URI. A remote attacker can exploit this vulnerability by sending a crafted HTTP packet to the target service. Successful exploitation could lead to arbitrary code execution or crash of the vulnerable application.

CVE

References

MSB

BID

ExploitDB

Secunia

Security Tracker

Metasploit

ZDI

Google

OSVDB

{}