CVE-2019-6340

Name of the Vulnerable Software and Affected Versions Drupal versions 8.5.x before 8.5.11 Drupal versions 8.6.x before 8.6.10

Description Some field types do not properly sanitize data from non-form sources in Drupal. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

Recommendations For Drupal 8.5.x, update to version 8.5.11 or later. For Drupal 8.6.x, update to version 8.6.10 or later. As a temporary workaround, consider disabling the RESTful Web Services (rest) module until a patch is available. Restrict access to the vulnerable module rest to minimize the risk of exploitation. Avoid using the PATCH or POST requests in the affected API endpoints until the issue is resolved.