In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File `module/subsystem` allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Affected Packages

Packagist drupal/core

Affected versions: 7.0.0 (fixed in 7.65.0)

Packagist drupal/core

Affected versions: 8.0.0 (fixed in 8.5.14)

Packagist drupal/core

Affected versions: 8.6.0 (fixed in 8.6.13)

Packagist drupal/drupal

Affected versions: 7.0.0 (fixed in 7.65.0)

Packagist drupal/drupal

Affected versions: 8.0.0 (fixed in 8.5.14)

Packagist drupal/drupal

Affected versions: 8.6.0 (fixed in 8.6.13)

Related CVEs

CVE-2019-6341

Key Information

GHSA ID

GHSA-cmmh-8mwp-gq5p

Published

May 24, 2022 4:56 PM

Last Modified

April 23, 2024 5:05 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

drupal/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.