### [CVE-2019-6340](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340)
![](https://img.shields.io/static/v1?label=Product&message=Drupal%20Core&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=8.58.5.11%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Remote%20code%20execution&color=brighgreen)

### Description

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)

### POC

#### Reference
- https://www.exploit-db.com/exploits/46452/
- https://www.exploit-db.com/exploits/46459/
- https://www.exploit-db.com/exploits/46510/

#### Github
- https://github.com/0x4D5352/rekall-penetration-test
- https://github.com/0xT11/CVE-POC
- https://github.com/189569400/Meppo
- https://github.com/20142995/sectool
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/Aprillia01/auto-Exploiter
- https://github.com/CVEDB/PoC-List
- https://github.com/CVEDB/awesome-cve-repo
- https://github.com/CVEDB/top
- https://github.com/DevDungeon/CVE-2019-6340-Drupal-8.6.9-REST-Auth-Bypass
- https://github.com/DynamicDesignz/Alien-Framework
- https://github.com/Elsfa7-110/kenzer-templates
- https://github.com/GhostTroops/TOP
- https://github.com/HimmelAward/Goby_POC
- https://github.com/JERRY123S/all-poc
- https://github.com/JSchauert/Penetration-Testing-2
- https://github.com/JSchauert/Project-2-Offensive-Security-CTF
- https://github.com/Ostorlab/KEV
- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
- https://github.com/PleXone2019/ICG-AutoExploiterBoT
- https://github.com/SexyBeast233/SecBooks
- https://github.com/WingsSec/Meppo
- https://github.com/Z0fhack/Goby_POC
- https://github.com/amcai/myscan
- https://github.com/antonio-fr/DrupalRS
- https://github.com/anuslok2/IC
- https://github.com/ayhan-dev/Drupal-RCE-Checker
- https://github.com/borahan951/priv8.mechploit
- https://github.com/cved-sources/cve-2019-6340
- https://github.com/cyberanand1337x/bug-bounty-2022
- https://github.com/d1vious/cve-2019-6340-bits
- https://github.com/developer3000S/PoC-in-GitHub
- https://github.com/dobyfreejr/Project-2
- https://github.com/fara-jav/My_YML_File
- https://github.com/g0rx/Drupal-SA-CORE-2019-003
- https://github.com/hectorgie/PoC-in-GitHub
- https://github.com/hktalent/TOP
- https://github.com/hktalent/bug-bounty
- https://github.com/honeybot/wtf-plugin-honeybot-cve_2019_6340
- https://github.com/huan-cdm/secure_tools_link
- https://github.com/itsamirac1e/Offensive_Security_CTF_Rekall
- https://github.com/jas502n/CVE-2019-6340
- https://github.com/jbmihoub/all-poc
- https://github.com/josehelps/cve-2019-6340-bits
- https://github.com/knqyf263/CVE-2019-6340
- https://github.com/koala2099/GitHub-Chinese-Top-Charts
- https://github.com/koutto/jok3r-pocs
- https://github.com/lp008/Hack-readme
- https://github.com/ludy-dev/drupal8-REST-RCE
- https://github.com/merlinepedra/nuclei-templates
- https://github.com/merlinepedra25/nuclei-templates
- https://github.com/mussar0x4D5352/rekall-penetration-test
- https://github.com/neilzhang1/Chinese-Charts
- https://github.com/nobodyatall648/CVE-2019-6340
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/opflep/Drupalgeddon-Toolkit
- https://github.com/oways/CVE-2019-6340
- https://github.com/pg001001/deception-tech
- https://github.com/pinkieli/GitHub-Chinese-Top-Charts
- https://github.com/qingyuanfeiniao/Chinese-Top-Charts
- https://github.com/resistezauxhackeurs/outils_audit_cms
- https://github.com/sobinge/nuclei-templates
- https://github.com/superfish9/pt
- https://github.com/tolgadevsec/Awesome-Deception
- https://github.com/weeka10/-hktalent-TOP
- https://github.com/zeralot/Dectect-CVE
- https://github.com/zhzyker/exphub
- https://github.com/zoroqi/my-awesome