Vulnerability Details CVE-2019-19826
The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion. Code execution might also be possible.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.015
EPSS Ranking 80.6%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 7.5
References
Products affected by CVE-2019-19826
-
cpe:2.3:a:drupal:views_dynamic_field:6.x-1.0
-
cpe:2.3:a:drupal:views_dynamic_field:6.x-1.1
-
cpe:2.3:a:drupal:views_dynamic_field:6.x-1.2
-
cpe:2.3:a:drupal:views_dynamic_field:6.x-1.3
-
cpe:2.3:a:drupal:views_dynamic_field:6.x-1.4
-
cpe:2.3:a:drupal:views_dynamic_field:7.x-1.0