CVE-2013-4225

HIGH

RESTful Web Services 7.x-1.x < 7.x-1.4 and 7.x-2.x < 7.x-2.1 - Authenticated PHP Code Injection via Text Field

Title source: llm
STIX 2.1

Description

The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the "access resource node" and "create page content" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field.

References (4)

Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
https://drupal.org/node/2059603
Release Notes, Vendor Advisory x_refsource_misc
https://drupal.org/node/2059591
Release Notes, Vendor Advisory x_refsource_misc
https://drupal.org/node/2059593
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2013/08/10/1

Scores

CVSS v3 8.8
EPSS 0.0205
EPSS Percentile 78.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-79 CWE-94
Status published
Products (2)
restful_web_services_project/restful_web_services 7.x-2.x dev
restful_web_services_project/restful_web_services 7.x-1.0 - 7.x-1.4
Published Feb 11, 2020
Tracked Since Feb 18, 2026