The security hole, tracked as CVE-2019-6340, is caused by the lack of proper data sanitization in some field types, which, in some cases, can allow an attacker to execute arbitrary PHP code, Drupal developers said. The issue was discovered by Samuel Mortenson of the Drupal Security Team.

Exploitation of CVE-2019-6340 is possible if the core RESTful Web Services module is enabled and it allows PATCH or POST requests. Exploitation is also possible if another web services module is enabled, such as JSON:API in Drupal 8 or RESTful Web Services or Services in Drupal 7.