CVE-2014-9152

CVE-2014-9152 affects the Drupal Services module (7.x-3.x) prior to 7.x-3.10. The _user_resource_create function creates new user accounts with a password of 1, enabling remote attackers to brute-force the password. Impact is partial confidentiality and integrity risk for newly created accounts; ...

CVE-2013-2158

Summary of CVE-2013-2158 (Drupal Services CSRF) : The Services module for Drupal 6.x-3.x and 7.x-3.x is vulnerable to Cross-Site Request Forgery due to insufficient verification of POST/PUT/DELETE requests with session cookie authentication. This could allow remote attackers to hijack the authent...

CVE-2014-9151

CVE-2014-9151 affects Drupal’s Services module (7.x-3.x) prior to 7.x-3.10. The vulnerability is due to insufficient flood control / rate limiting on authentication attempts, allowing remote attackers to brute-force the administrative password. The issue is addressed by upgrading to Services 7.x-...

CVE-2015-4393

The CVE-2015-4393 entry relates to Drupal Services module (7.x-3.x) vulnerability prior to 7.x-3.12. The resource/endpoint used for uploading files could be triggered by remote authenticated users who have the Save file information permission to execute arbitrary code via a crafted filename. Affe...

CVE-2014-9153

CVE-2014-9153 is a XSS vulnerability in the Drupal Services module for Drupal 7.x-3.x, present before 7.x-3.10. The issue arises from an unfiltered JSONP callback parameter, allowing remote authenticated users to inject arbitrary JavaScript in a JSONP response. Affected version range is Services ...

CVE-2015-4394

The CVE-2015-4394 issue affects the Drupal Services module (7.x-3.x) prior to 7.x-3.12, where an improper field_access check allows remote attackers to disclose private field information. The vulnerability is tied to the Services module’s handling of entity field access, enabling information expo...