FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

drupal -- Drupal core - Arbitrary PHP code execution

Affected packages
drupal7 < 7.63
drupal8 < 8.6.7


VuXML ID e00ed3d9-1c27-11e9-a257-000ffec0b3e1
Discovery 2019-01-16
Entry 2019-01-19

Drupal Security Team reports:

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.