Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004
Description
A cross-site scripting (XSS) vulnerability in Drupal's File module allows a malicious user to upload a file that can trigger XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site scripting (XSS) vulnerability in Drupal's File module allows a malicious user to upload a file that can trigger XSS.
Vulnerability
In Drupal 7 versions prior to 7.65, Drupal 8.6 versions prior to 8.6.13, and Drupal 8.5 versions prior to 8.5.14, the File module/subsystem contains a cross-site scripting (XSS) vulnerability. Under certain circumstances, a malicious user can upload a file that, when processed by the module, executes arbitrary JavaScript in the context of the Drupal site [2].
Exploitation
An attacker with the ability to upload files (e.g., as a user with appropriate permissions) can craft a file containing malicious script. The attacker uploads the file via the File module, and when the file is accessed or rendered by the module, the embedded script is executed in the victim's browser [2].
Impact
Successful exploitation allows the attacker to perform cross-site scripting (XSS) attacks, potentially leading to session hijacking, defacement of the site, or execution of arbitrary actions on behalf of the victim user [2].
Mitigation
Update to Drupal 7.65, Drupal 8.5.14, or Drupal 8.6.13 or later, as these versions contain the fix. No workarounds are documented in the available references [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 7.0.0, < 7.65.0 | 7.65.0 |
drupal/corePackagist | >= 8.0.0, < 8.5.14 | 8.5.14 |
drupal/corePackagist | >= 8.6.0, < 8.6.13 | 8.6.13 |
drupal/drupalPackagist | >= 7.0.0, < 7.65.0 | 7.65.0 |
drupal/drupalPackagist | >= 8.0.0, < 8.5.14 | 8.5.14 |
drupal/drupalPackagist | >= 8.6.0, < 8.6.13 | 8.6.13 |
Affected products
3- ghsa-coords2 versions
>= 7.0.0, < 7.65.0+ 1 more
- (no CPE)range: >= 7.0.0, < 7.65.0
- (no CPE)range: >= 7.0.0, < 7.65.0
- Range: Drupal 7
Patches
3c2cae51e5c32471af00dd86689e23ccafb25Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
19- github.com/advisories/GHSA-cmmh-8mwp-gq5pghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-6341ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6341.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6341.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2019/04/msg00003.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYXghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4PghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFSghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYXghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4PghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFSghsaWEB
- www.drupal.org/sa-core-2019-004ghsax_refsource_CONFIRMWEB
- www.synology.com/security/advisory/Synology_SA_19_13ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.