Cross site scripting

2020-02-1121:15:00

PRIOn knowledge base

www.prio-n.com

6.2 Medium

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.3%

JSON

The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the “access resource node” and “create page content” permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field.

CPENameOperatorVersion
restful_web_serviceseq>= 7.x1.0 AND < 7.x1.4
restful_web_serviceseq>= 7.x2.0 AND < 7.x2.1
restful_web_serviceseq7.x-2.x dev

Name	Operator	Version
restful_web_services	eq	>= 7.x1.0 AND < 7.x1.4
restful_web_services	eq	>= 7.x2.0 AND < 7.x2.1
restful_web_services	eq	7.x-2.x dev

References

www.openwall.com/lists/oss-security/2013/08/10/1

drupal.org/node/2059591

drupal.org/node/2059593

drupal.org/node/2059603