All the vulnerabilites related to restful_web_services_project - restful_web_services
cve-2013-0205
Vulnerability from cvelistv5
Published
2013-03-19 14:00
Modified
2024-09-16 20:01
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://drupal.org/node/1890216 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2013/01/21/5 | mailing-list, x_refsource_MLIST | |
| https://drupal.org/node/1890222 | x_refsource_MISC | |
| https://drupal.org/node/1890212 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.340Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://drupal.org/node/1890216"
},
{
"name": "[oss-security] 20130121 Re: CVE request for Drupal contributed modules",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/01/21/5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drupal.org/node/1890222"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://drupal.org/node/1890212"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-03-19T14:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://drupal.org/node/1890216"
},
{
"name": "[oss-security] 20130121 Re: CVE request for Drupal contributed modules",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/01/21/5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://drupal.org/node/1890222"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://drupal.org/node/1890212"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0205",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://drupal.org/node/1890216",
"refsource": "CONFIRM",
"url": "https://drupal.org/node/1890216"
},
{
"name": "[oss-security] 20130121 Re: CVE request for Drupal contributed modules",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/01/21/5"
},
{
"name": "https://drupal.org/node/1890222",
"refsource": "MISC",
"url": "https://drupal.org/node/1890222"
},
{
"name": "https://drupal.org/node/1890212",
"refsource": "CONFIRM",
"url": "https://drupal.org/node/1890212"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0205",
"datePublished": "2013-03-19T14:00:00Z",
"dateReserved": "2012-12-06T00:00:00Z",
"dateUpdated": "2024-09-16T20:01:28.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-5556
Vulnerability from cvelistv5
Published
2012-12-03 21:00
Modified
2024-09-16 23:21
Severity ?
EPSS score ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unknown vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://drupal.org/node/1840740 | x_refsource_MISC | |
| http://drupal.org/node/1840722 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2012/11/20/4 | mailing-list, x_refsource_MLIST | |
| http://drupal.org/node/1840728 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:15.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://drupal.org/node/1840740"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://drupal.org/node/1840722"
},
{
"name": "[oss-security] 20121120 Re: CVE Request for Drupal Contributed Modules",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/20/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://drupal.org/node/1840728"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unknown vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-12-03T21:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://drupal.org/node/1840740"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://drupal.org/node/1840722"
},
{
"name": "[oss-security] 20121120 Re: CVE Request for Drupal Contributed Modules",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/20/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://drupal.org/node/1840728"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://drupal.org/node/1840740",
"refsource": "MISC",
"url": "http://drupal.org/node/1840740"
},
{
"name": "http://drupal.org/node/1840722",
"refsource": "CONFIRM",
"url": "http://drupal.org/node/1840722"
},
{
"name": "[oss-security] 20121120 Re: CVE Request for Drupal Contributed Modules",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/11/20/4"
},
{
"name": "http://drupal.org/node/1840728",
"refsource": "CONFIRM",
"url": "http://drupal.org/node/1840728"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5556",
"datePublished": "2012-12-03T21:00:00Z",
"dateReserved": "2012-10-24T00:00:00Z",
"dateUpdated": "2024-09-16T23:21:47.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4225
Vulnerability from cvelistv5
Published
2020-02-11 20:19
Modified
2024-08-06 16:38
Severity ?
EPSS score ?
Summary
The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the "access resource node" and "create page content" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://drupal.org/node/2059603 | x_refsource_MISC | |
| https://drupal.org/node/2059591 | x_refsource_MISC | |
| https://drupal.org/node/2059593 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2013/08/10/1 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | RESTful Web Services | RESTful Web Services |
Version: 7.x-1.x before 7.x-1.4 Version: 7.x-2.x before 7.x-2.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:38:01.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drupal.org/node/2059603"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drupal.org/node/2059591"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drupal.org/node/2059593"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/08/10/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RESTful Web Services",
"vendor": "RESTful Web Services",
"versions": [
{
"status": "affected",
"version": "7.x-1.x before 7.x-1.4"
},
{
"status": "affected",
"version": "7.x-2.x before 7.x-2.1"
}
]
}
],
"datePublic": "2013-08-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the \"access resource node\" and \"create page content\" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Permissions",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-11T20:19:56",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://drupal.org/node/2059603"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://drupal.org/node/2059591"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://drupal.org/node/2059593"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2013/08/10/1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4225",
"datePublished": "2020-02-11T20:19:56",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:38:01.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-1946
Vulnerability from cvelistv5
Published
2014-04-06 16:00
Modified
2024-08-06 15:20
Severity ?
EPSS score ?
Summary
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache."
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.osvdb.org/92259 | vdb-entry, x_refsource_OSVDB | |
| https://drupal.org/node/1966758 | x_refsource_CONFIRM | |
| https://drupal.org/node/1966752 | x_refsource_CONFIRM | |
| https://drupal.org/node/1966780 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2013/04/12/1 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "92259",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/92259"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://drupal.org/node/1966758"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://drupal.org/node/1966752"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drupal.org/node/1966780"
},
{
"name": "[oss-security] 20130412 Re: CVE request for Drupal contributed modules",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/12/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can \"interfere with Drupal\u0027s page cache.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-06T15:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "92259",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/92259"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://drupal.org/node/1966758"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://drupal.org/node/1966752"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://drupal.org/node/1966780"
},
{
"name": "[oss-security] 20130412 Re: CVE request for Drupal contributed modules",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/04/12/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1946",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can \"interfere with Drupal\u0027s page cache.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92259",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/92259"
},
{
"name": "https://drupal.org/node/1966758",
"refsource": "CONFIRM",
"url": "https://drupal.org/node/1966758"
},
{
"name": "https://drupal.org/node/1966752",
"refsource": "CONFIRM",
"url": "https://drupal.org/node/1966752"
},
{
"name": "https://drupal.org/node/1966780",
"refsource": "MISC",
"url": "https://drupal.org/node/1966780"
},
{
"name": "[oss-security] 20130412 Re: CVE request for Drupal contributed modules",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/04/12/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1946",
"datePublished": "2014-04-06T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-4345
Vulnerability from cvelistv5
Published
2015-06-15 14:00
Modified
2024-08-06 06:11
Severity ?
EPSS score ?
Summary
The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers to obtain sensitive information via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/72676 | vdb-entry, x_refsource_BID | |
| https://www.drupal.org/node/2428857 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2015/04/25/6 | mailing-list, x_refsource_MLIST | |
| https://www.drupal.org/node/2428855 | x_refsource_CONFIRM | |
| https://www.drupal.org/node/2428863 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:11:12.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "72676",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72676"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.drupal.org/node/2428857"
},
{
"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.drupal.org/node/2428855"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.drupal.org/node/2428863"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers to obtain sensitive information via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-06-03T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "72676",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72676"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.drupal.org/node/2428857"
},
{
"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.drupal.org/node/2428855"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.drupal.org/node/2428863"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4345",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers to obtain sensitive information via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "72676",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72676"
},
{
"name": "https://www.drupal.org/node/2428857",
"refsource": "CONFIRM",
"url": "https://www.drupal.org/node/2428857"
},
{
"name": "[oss-security] 20150425 CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"
},
{
"name": "https://www.drupal.org/node/2428855",
"refsource": "CONFIRM",
"url": "https://www.drupal.org/node/2428855"
},
{
"name": "https://www.drupal.org/node/2428863",
"refsource": "MISC",
"url": "https://www.drupal.org/node/2428863"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4345",
"datePublished": "2015-06-15T14:00:00",
"dateReserved": "2015-06-05T00:00:00",
"dateUpdated": "2024-08-06T06:11:12.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2013-03-19 14:55
Modified
2024-11-21 01:47
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2013/01/21/5 | Mailing List, Third Party Advisory | |
| secalert@redhat.com | https://drupal.org/node/1890212 | Patch, Vendor Advisory | |
| secalert@redhat.com | https://drupal.org/node/1890216 | Patch, Vendor Advisory | |
| secalert@redhat.com | https://drupal.org/node/1890222 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2013/01/21/5 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://drupal.org/node/1890212 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://drupal.org/node/1890216 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://drupal.org/node/1890222 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| restful_web_services_project | restful_web_services | * | |
| restful_web_services_project | restful_web_services | 7.x-2.0 | |
| restful_web_services_project | restful_web_services | 7.x-2.0 | |
| restful_web_services_project | restful_web_services | 7.x-2.0 | |
| restful_web_services_project | restful_web_services | 7.x-2.0 | |
| drupal | drupal | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:*:*:*:*:*:drupal:*:*",
"matchCriteriaId": "41F98DA2-052C-4FB0-B03F-67A099C5F918",
"versionEndExcluding": "7.x-1.2",
"versionStartIncluding": "7.x-1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.0:-:*:*:*:drupal:*:*",
"matchCriteriaId": "8B9DF868-6AEB-46F1-8AFF-38E816BC009A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.0:alpha1:*:*:*:drupal:*:*",
"matchCriteriaId": "B514E25A-AA3B-4FDB-B2D5-D90CCB1E5D3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.0:alpha2:*:*:*:drupal:*:*",
"matchCriteriaId": "3026D944-0FF7-4F84-BC41-A6FF5B368A3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.0:alpha3:*:*:*:drupal:*:*",
"matchCriteriaId": "32B60142-D4F5-4F73-8CE3-6CC9EC39F5D4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
"matchCriteriaId": "08E6CE0C-634D-4157-AA07-CCAB72238AC7",
"versionEndIncluding": "7.82",
"versionStartIncluding": "7.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en el m\u00f3dulo RESTful Web Services (restws) v7.x-1.x anterior a v7.x-1.2 y v7.x-2.x anterior a v7.x-2.0-alpha4 para Drupal, permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios de su elecci\u00f3n a traves de vectores desconocidos."
}
],
"id": "CVE-2013-0205",
"lastModified": "2024-11-21T01:47:03.610",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-03-19T14:55:01.090",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/01/21/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://drupal.org/node/1890212"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://drupal.org/node/1890216"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://drupal.org/node/1890222"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/01/21/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://drupal.org/node/1890212"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://drupal.org/node/1890216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://drupal.org/node/1890222"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-06 16:55
Modified
2024-11-21 01:50
Severity ?
Summary
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| restful_web_services_project | restful_web_services | 7.x-1.1 | |
| restful_web_services_project | restful_web_services | 7.x-1.2 | |
| restful_web_services_project | restful_web_services | 7.x-2.0 | |
| restful_web_services_project | restful_web_services | 7.x-2.0 | |
| drupal | drupal | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "33B0E327-B2E6-461C-8348-52D32DFFACC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0D11CC28-9A03-4005-9CA4-DDD761716E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "E992D7B0-649D-4B30-9519-8C0F044E0318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "242FB111-A4C7-4165-8F5F-B0B5EB3E8924",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can \"interfere with Drupal\u0027s page cache.\""
},
{
"lang": "es",
"value": "El m\u00f3dulo RESTful Web Services (RESTWS) 7.x-1.x anterior a 7.x-1.3 y 7.x-2.x anterior a 7.x-2.0-alpha5 para Drupal, cuando el cacheo de la p\u00e1gina est\u00e1 habilitado y usuarios an\u00f3nimos se les asignan permisos RESTWS, permite a atacantes remotos causar una denegaci\u00f3n de servicio a trav\u00e9s de una solicitud GET con una cabecera HTTP Accept configurada hacia un tipo no HTML, lo que puede \"interferir con el cacheo de p\u00e1gina de Drupal.\""
}
],
"id": "CVE-2013-1946",
"lastModified": "2024-11-21T01:50:43.667",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-04-06T16:55:06.970",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/04/12/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/92259"
},
{
"source": "secalert@redhat.com",
"url": "https://drupal.org/node/1966752"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://drupal.org/node/1966758"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://drupal.org/node/1966780"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/04/12/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/92259"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://drupal.org/node/1966752"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://drupal.org/node/1966758"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://drupal.org/node/1966780"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-12-03 21:55
Modified
2024-11-21 01:44
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unknown vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| restful_web_services_project | restful_web_services | 7.x-1.0 | |
| restful_web_services_project | restful_web_services | 7.x-1.0 | |
| restful_web_services_project | restful_web_services | 7.x-1.0 | |
| restful_web_services_project | restful_web_services | 7.x-1.x | |
| restful_web_services_project | restful_web_services | 7.x-2.0 | |
| restful_web_services_project | restful_web_services | 7.x-2.0 | |
| restful_web_services_project | restful_web_services | 7.x-2.x | |
| drupal | drupal | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AAD3E473-417F-424C-88E2-8AB17F524278",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "A8DDAA9D-909B-464B-8074-4B3C50B264BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "92897428-7E2E-45F7-AF5A-8543AF0282AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.x:dev:*:*:*:*:*:*",
"matchCriteriaId": "A6E283B1-E34D-4DAA-AB38-577D8F1A3180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "6F9BCFDB-D6E2-4408-AA5B-B4ED013D55D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "9D7130B3-625B-4DD5-A625-E13DC31F8E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.x:dev:*:*:*:*:*:*",
"matchCriteriaId": "9388CCF6-BF20-4B9D-AF0F-6E38ED1104C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unknown vectors."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de peticiones en sitios cruzados (CSRF) en el m\u00f3dulo ESTful Web Services (RESTWS) v7.x-1.x antes de v7.x-1.1 y v7.x-2.x antes de v7.x-2.0-alpha3 para Drupal, permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios arbitrarios a trav\u00e9s de vectores desconocidos."
}
],
"id": "CVE-2012-5556",
"lastModified": "2024-11-21T01:44:52.750",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-12-03T21:55:02.737",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://drupal.org/node/1840722"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://drupal.org/node/1840728"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://drupal.org/node/1840740"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/11/20/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://drupal.org/node/1840722"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://drupal.org/node/1840728"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://drupal.org/node/1840740"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/11/20/4"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-11 21:15
Modified
2024-11-21 01:55
Severity ?
Summary
The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the "access resource node" and "create page content" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2013/08/10/1 | Mailing List, Third Party Advisory | |
| secalert@redhat.com | https://drupal.org/node/2059591 | Release Notes, Vendor Advisory | |
| secalert@redhat.com | https://drupal.org/node/2059593 | Release Notes, Vendor Advisory | |
| secalert@redhat.com | https://drupal.org/node/2059603 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2013/08/10/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://drupal.org/node/2059591 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://drupal.org/node/2059593 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://drupal.org/node/2059603 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| restful_web_services_project | restful_web_services | * | |
| restful_web_services_project | restful_web_services | * | |
| restful_web_services_project | restful_web_services | 7.x-2.x |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:*:*:*:*:*:drupal:*:*",
"matchCriteriaId": "D0D6A8BA-0364-44BB-9F43-0594945193F1",
"versionEndExcluding": "7.x-1.4",
"versionStartIncluding": "7.x-1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:*:*:*:*:*:drupal:*:*",
"matchCriteriaId": "B7AA02CE-91AC-4A81-B62B-BBAF75265E52",
"versionEndExcluding": "7.x-2.1",
"versionStartIncluding": "7.x-2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.x:dev:*:*:*:drupal:*:*",
"matchCriteriaId": "38E1C460-2601-4231-A621-051C78C36929",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the \"access resource node\" and \"create page content\" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field."
},
{
"lang": "es",
"value": "El m\u00f3dulo RESTful Web Services (restws) versiones 7.x-1.x anteriores a 7.x-1.4 y versiones 7.x-2.x anteriores a 7.x-2.1 para Drupal, no restringe apropiadamente el acceso a las operaciones de escritura de entidades, lo que facilita a usuarios autenticados remotos con los permisos de \"access resource node\" y \"create page content\" (o equivalentes) conducir un ataque de tipo cross-site scripting (XSS) o ejecutar c\u00f3digo PHP arbitrario por medio de un campo de texto dise\u00f1ado."
}
],
"id": "CVE-2013-4225",
"lastModified": "2024-11-21T01:55:09.930",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-11T21:15:10.830",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/08/10/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://drupal.org/node/2059591"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://drupal.org/node/2059593"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://drupal.org/node/2059603"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/08/10/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://drupal.org/node/2059591"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://drupal.org/node/2059593"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://drupal.org/node/2059603"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-06-15 14:59
Modified
2024-11-21 02:30
Severity ?
Summary
The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers to obtain sensitive information via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| restful_web_services_project | restful_web_services | 7.x-1.0 | |
| restful_web_services_project | restful_web_services | 7.x-1.1 | |
| restful_web_services_project | restful_web_services | 7.x-1.2 | |
| restful_web_services_project | restful_web_services | 7.x-1.3 | |
| restful_web_services_project | restful_web_services | 7.x-1.4 | |
| restful_web_services_project | restful_web_services | 7.x-2.0 | |
| restful_web_services_project | restful_web_services | 7.x-2.1 | |
| restful_web_services_project | restful_web_services | 7.x-2.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.0:*:*:*:*:drupal:*:*",
"matchCriteriaId": "DE9035C4-5A16-4F4A-A50D-280ACEC69AAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.1:*:*:*:*:drupal:*:*",
"matchCriteriaId": "4BE33D2E-F230-4ABC-905E-DDA604F3D055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.2:*:*:*:*:drupal:*:*",
"matchCriteriaId": "6D92D588-EC1C-4F67-BDC1-FAD4BDEB50A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.3:*:*:*:*:drupal:*:*",
"matchCriteriaId": "3F57195F-06E0-4EDE-AB77-C3FAB9AC1495",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.4:*:*:*:*:drupal:*:*",
"matchCriteriaId": "BB1E3933-CE9D-446D-9E46-D641F47D095B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.0:*:*:*:*:drupal:*:*",
"matchCriteriaId": "DAD4AFA5-9EEB-4129-A5B7-9308AA0D88BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.1:*:*:*:*:drupal:*:*",
"matchCriteriaId": "5503F9D0-B3A7-45EE-8B3A-206A9826AF4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.2:*:*:*:*:drupal:*:*",
"matchCriteriaId": "D1E70FD9-F669-4F59-A6BB-C7E637D09460",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers to obtain sensitive information via unspecified vectors."
},
{
"lang": "es",
"value": "El subm\u00f3dulo RESTWS Basic Auth en el m\u00f3dulo RESTful Web Services 7.x-1.x anterior a 7.x-1.5 y 7.x-2.x anterior a 7.x-2.3 para Drupal cachea p\u00e1ginas para solicitudes autenticadas, lo que permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2015-4345",
"lastModified": "2024-11-21T02:30:52.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-06-15T14:59:01.247",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/72676"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://www.drupal.org/node/2428855"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://www.drupal.org/node/2428857"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.drupal.org/node/2428863"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2015/04/25/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/72676"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://www.drupal.org/node/2428855"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://www.drupal.org/node/2428857"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.drupal.org/node/2428863"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}