New Detection for RCE in Drupal Core 8.5.x and 8.6.x

Document created by Dave Ferguson Employee on Mar 28, 2019
Version 1Show Document
  • View in full screen mode

Hello all


The Qualys WAS scanning engine has been updated with a new detection for CVE-2019-6340, a remote code execution (RCE) vulnerability in the Drupal CMS.  To exploit this vulnerability, an attacker submits a specially-crafted request that includes serialized PHP code.  Ensure that QID 150235 is enabled in your WAS vulnerability scans to test for this issue.  More details about the vulnerability can be found at
This new detection is part of an ongoing effort to provide support for known vulnerabilities in application frameworks.
- Dave