Advisory ID: DRUPAL-SA-CONTRIB-2016-033
Project: REST/JSON (third-party module)
Security risk: 19/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Proof/TD:All
Vulnerability: Access bypass, Information Disclosure, Multiple vulnerabilities
This module enables you to expose content, users and comments via a JSON API.
The module contains multiple vulnerabilities including
Node access bypass
Comment access bypass
Field access bypass
User registration bypass
Blocked user login
Session name guessing
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
All 7.x-1.x versions
Drupal core is not affected. If you do not use the contributed REST JSON module, there is nothing you need to do.
Drupal core is not affected. If you do not use the contributed REST/JSON module, there is nothing you need to do.
If you use the REST JSON module for Drupal 7.x you should uninstall it.
Also see the REST/JSON project page.
Lee Rowlands of the Drupal Security Team
Ben Doughertry of the Drupal Security Team
Lee Rowlands of the
Original URL: https://www.drupal.org/node/2744889