6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.7%
Services module enables you to expose an API to third party systems.
The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the βFile > Createβ resource must be enabled and an attacker must have a role with the Services βSave file informationβ permission.
Services does not check field_access when displaying entities so some private field information may be displayed. This vulnerability only affects sites using the field access system (for example, via the Field Permissions module) to hide fields from anonymous users.
Services 7.x-3.x versions prior to 7.x-3.12.
Drupal core is not affected. If you do not use the contributed Services module,
there is nothing you need to do.
Install the latest version of Services: Services 7.x-3.12.
As a reminder, Services for Drupal 6 is no longer maintained.
Also see the Services project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2471847
www.drupal.org/project/field_permissions
www.drupal.org/project/services
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/benjy
www.drupal.org/u/bevan
www.drupal.org/u/fabianx
www.drupal.org/u/kylebrowning
www.drupal.org/u/scor
www.drupal.org/user/235790
www.drupal.org/writing-secure-code