Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2019-6340

Description

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)

POC

Reference

- https://www.exploit-db.com/exploits/46452/

- https://www.exploit-db.com/exploits/46459/

- https://www.exploit-db.com/exploits/46510/

Github

- https://github.com/0x4D5352/rekall-penetration-test

- https://github.com/0xT11/CVE-POC

- https://github.com/189569400/Meppo

- https://github.com/20142995/nuclei-templates

- https://github.com/20142995/sectool

- https://github.com/ARPSyndicate/cvemon

- https://github.com/ARPSyndicate/kenzer-templates

- https://github.com/Aprillia01/auto-Exploiter

- https://github.com/CVEDB/PoC-List

- https://github.com/CVEDB/awesome-cve-repo

- https://github.com/CVEDB/top

- https://github.com/ChHsiching/GitHub-Chinese-Top-Charts

- https://github.com/DevDungeon/CVE-2019-6340-Drupal-8.6.9-REST-Auth-Bypass

- https://github.com/DynamicDesignz/Alien-Framework

- https://github.com/Elsfa7-110/kenzer-templates

- https://github.com/GhostTroops/TOP

- https://github.com/HimmelAward/Goby_POC

- https://github.com/Ihsan-Abdul/Penetration-Test-Report

- https://github.com/JERRY123S/all-poc

- https://github.com/JSchauert/Penetration-Testing-2

- https://github.com/JSchauert/Project-2-Offensive-Security-CTF

- https://github.com/JordanMcAlpine1/WebAppLinuxWindowsPenTest

- https://github.com/Mbilse/GitHub-Chinese-Top-Charts

- https://github.com/Mezantrop74/M3M0

- https://github.com/NyxAzrael/Goby_POC

- https://github.com/Ostorlab/KEV

- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors

- https://github.com/PleXone2019/ICG-AutoExploiterBoT

- https://github.com/ROBOT-X-cyber/outils_audit_cms

- https://github.com/S3cur3Th1sSh1t/My-starred-Repositories

- https://github.com/SexyBeast233/SecBooks

- https://github.com/Sumitpathania03/Drupal-cve-2019-6340

- https://github.com/WingsSec/Meppo

- https://github.com/Z0fhack/Goby_POC

- https://github.com/amcai/myscan

- https://github.com/antonio-fr/DrupalRS

- https://github.com/anuslok2/IC

- https://github.com/ayhan-dev/Drupal-RCE-Checker

- https://github.com/blue-duty/stars

- https://github.com/borahan951/priv8.mechploit

- https://github.com/cved-sources/cve-2019-6340

- https://github.com/cyberanand1337x/bug-bounty-2022

- https://github.com/d1vious/cve-2019-6340-bits

- https://github.com/developer3000S/PoC-in-GitHub

- https://github.com/dobyfreejr/Project-2

- https://github.com/duty9527/stars

- https://github.com/fara-jav/My_YML_File

- https://github.com/g0rx/Drupal-SA-CORE-2019-003

- https://github.com/hectorgie/PoC-in-GitHub

- https://github.com/hktalent/TOP

- https://github.com/hktalent/bug-bounty

- https://github.com/honeybot/wtf-plugin-honeybot-cve_2019_6340

- https://github.com/huan-cdm/secure_tools_link

- https://github.com/itsamirac1e/Offensive_Security_CTF_Rekall

- https://github.com/jas502n/CVE-2019-6340

- https://github.com/jbmihoub/all-poc

- https://github.com/josehelps/cve-2019-6340-bits

- https://github.com/knqyf263/CVE-2019-6340

- https://github.com/koala2099/GitHub-Chinese-Top-Charts

- https://github.com/koutto/jok3r-pocs

- https://github.com/legionhunter/outils_audit_cms

- https://github.com/lp008/Hack-readme

- https://github.com/ludy-dev/drupal8-REST-RCE

- https://github.com/merlinepedra/nuclei-templates

- https://github.com/merlinepedra25/nuclei-templates

- https://github.com/mussar0x4D5352/rekall-penetration-test

- https://github.com/neilzhang1/Chinese-Charts

- https://github.com/nobodyatall648/CVE-2019-6340

- https://github.com/nomi-sec/PoC-in-GitHub

- https://github.com/opflep/Drupalgeddon-Toolkit

- https://github.com/oways/CVE-2019-6340

- https://github.com/pg001001/deception-tech

- https://github.com/pinkie-ljz/GitHub-Chinese-Top-Charts

- https://github.com/pinkieli/GitHub-Chinese-Top-Charts

- https://github.com/qingyuanfeiniao/Chinese-Top-Charts

- https://github.com/reanzai/Reanzai-Penetration-Testing-tool

- https://github.com/resistezauxhackeurs/outils_audit_cms

- https://github.com/sobinge/nuclei-templates

- https://github.com/starling021/M3M0

- https://github.com/superfish9/pt

- https://github.com/tolgadevsec/Awesome-Deception

- https://github.com/weeka10/-hktalent-TOP

- https://github.com/zeralot/Dectect-CVE

- https://github.com/zhzyker/exphub

- https://github.com/zoroqi/my-awesome