7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.7%
The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.
When creating a new user account via Services, the new userโs password was set to a weak password.
This issue is mitigated by the fact that the user resource must be enabled (or least have been enabled in the past) and new user registration permitted via Services.
Action required: This release of Services comes with an interface and a drush command to perform actions in order to secure your site and get rid of this vulnerability. After installing this release and running the regular database updates, make sure to read all the information provided at admin/config/services/services-security, and pick the option most suited to your site. For example, you can reset the password of all user accounts that have been created since August 30th, 2013 (recommended).
The JSONP response of a callback parameter is unfiltered and outputs raw HTTP data. This can lead to arbitrary JavaScript execution.
This issue is mitigated by the fact that JSONP is not enabled by default in the REST server response formatters and the HTTP client Accept header must be set to text/javascript or application/javascript if the โxmlโ formatter is enabled.
Services module now restricts callback parameters to alphanumeric characters only and a hard limit of 60 characters.
Flood control was not properly enforced leaving it vulnerable to brute force attacks. Services now implements flood control just like core Drupal does.
Drupal core is not affected. If you do not use the contributed Services module,
there is nothing you need to do.
Install the latest version:
Also see the Services project page.
www.drupal.org/contact
www.drupal.org/node/2344423
www.drupal.org/project/services
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/greggles
www.drupal.org/user/1367862
www.drupal.org/user/211387
www.drupal.org/user/2812719
www.drupal.org/user/52142
www.drupal.org/user/896508
www.drupal.org/writing-secure-code