CVE-2019-6339

Name of the Vulnerable Software and Affected Versions Drupal versions prior to 7.62 Drupal versions 8.5.x prior to 8.5.9 Drupal versions 8.6.x prior to 8.6.6

Description The issue is related to insufficient validation of user input, which can lead to remote code execution when performing file operations on an untrusted phar:// URI. This vulnerability exists in PHP's built-in phar stream wrapper and may affect some Drupal code, including core, contrib, and custom code, that performs file operations on user input without proper validation. The vulnerability is mitigated by the fact that exploiting it typically requires access to administrative permissions or an atypical configuration.

Recommendations For versions prior to 7.62, update to version 7.62 or later. For versions 8.5.x prior to 8.5.9, update to version 8.5.9 or later. For versions 8.6.x prior to 8.6.6, update to version 8.6.6 or later.