Vulnerability Description
The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the "access resource node" and "create page content" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Restful Web Services Project | Restful Web Services | >= 7.x-1.0, < 7.x-1.4 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2013/08/10/1Mailing ListThird Party Advisory
- https://drupal.org/node/2059591Release NotesVendor Advisory
- https://drupal.org/node/2059593Release NotesVendor Advisory
- https://drupal.org/node/2059603PatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2013/08/10/1Mailing ListThird Party Advisory
- https://drupal.org/node/2059591Release NotesVendor Advisory
- https://drupal.org/node/2059593Release NotesVendor Advisory
- https://drupal.org/node/2059603PatchVendor Advisory
FAQ
What is CVE-2013-4225?
CVE-2013-4225 is a vulnerability with a CVSS score of 8.8 (HIGH). The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote aut...
How severe is CVE-2013-4225?
CVE-2013-4225 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-4225?
Check the references section above for vendor advisories and patch information. Affected products include: Restful Web Services Project Restful Web Services.