REST JSON – Multiple Vulnerabilities – Highly Critical – Unsupported – SA-CONTRIB-2016-033

Advisory ID: DRUPAL-SA-CONTRIB-2016-033
Project: REST/JSON (third-party module)
Version: 7.x
Date: 2016-June-08
Security risk: 19/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Proof/TD:All
Vulnerability: Access bypass, Information Disclosure, Multiple vulnerabilities
Description
This module enables you to expose content, users and comments via a JSON API.
The module contains multiple vulnerabilities including
Node access bypass
Comment access bypass
User enumeration
Field access bypass
User registration bypass
Blocked user login
Session name guessing
Session enumeration

CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All 7.x-1.x versions
Drupal core is not affected. If you do not use the contributed REST JSON module, there is nothing you need to do.
Drupal core is not affected. If you do not use the contributed REST/JSON module, there is nothing you need to do.
Solution
If you use the REST JSON module for Drupal 7.x you should uninstall it.
Also see the REST/JSON project page.
Reported by
Lee Rowlands of the Drupal Security Team
Ben Doughertry of the Drupal Security Team
Fixed by
Not applicable
Coordinated by
Lee Rowlands of the


Original URL: https://www.drupal.org/node/2744889

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: