Login Sign Up

CVE-2019-19826

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in the Drupal Views Dynamic Fields module allows attackers to perform PHP object injection through insecure unserialize calls. This can lead to arbitrary file deletion and potentially remote code execution. All Drupal sites using the vulnerable module versions are affected.

💻 Affected Systems

Products:
  • Drupal Views Dynamic Fields module
Versions: 7.x-1.0-alpha4 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Drupal 7 sites with the Views Dynamic Fields module installed.

📦 What is this software?

Views Dynamic Field by Drupal

View all CVEs affecting Views Dynamic Field →

Views Dynamic Field by Drupal

View all CVEs affecting Views Dynamic Field →

Views Dynamic Field by Drupal

View all CVEs affecting Views Dynamic Field →

Views Dynamic Field by Drupal

View all CVEs affecting Views Dynamic Field →

Views Dynamic Field by Drupal

View all CVEs affecting Views Dynamic Field →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

File deletion causing service disruption and potential data loss, with possible code execution if attackers can chain exploits.

🟢

If Mitigated

Limited impact if proper input validation and file permissions are in place, but still significant risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward once the vulnerability is understood, with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.x-1.0-alpha5

Vendor Advisory: https://www.drupal.org/project/views_dynamic_fields/issues/3056600

Restart Required: No

Instructions:

1. Update the Views Dynamic Fields module to version 7.x-1.0-alpha5 or later. 2. Clear Drupal caches. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable vulnerable module

linux

Temporarily disable the Views Dynamic Fields module until patching is possible

drush pm-disable views_dynamic_fields

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Apply web application firewall rules to block serialized object injection attempts

🔍 How to Verify

Check if Vulnerable:

Check if the Views Dynamic Fields module is installed and its version is 7.x-1.0-alpha4 or earlier

Check Version:

drush pmi views_dynamic_fields | grep Version

Verify Fix Applied:

Verify module version is 7.x-1.0-alpha5 or later and test for unserialize vulnerabilities

📡 Detection & Monitoring

Log Indicators:

  • Unusual unserialize operations
  • Archive_Tar object creation attempts
  • Unexpected file deletion events

Network Indicators:

  • HTTP requests containing serialized PHP objects
  • Patterns matching object injection payloads

SIEM Query:

search 'unserialize' OR 'Archive_Tar' OR 'field_names' in web server logs

📊 Metadata

CVE ID: CVE-2019-19826
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: December 16, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19826, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)