CVE-2013-4225
HIGHRESTful Web Services 7.x-1.x < 7.x-1.4 and 7.x-2.x < 7.x-2.1 - Authenticated PHP Code Injection via Text Field
Title source: llmDescription
The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the "access resource node" and "create page content" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
https://drupal.org/node/2059603
Release Notes, Vendor Advisory x_refsource_misc
https://drupal.org/node/2059591
Release Notes, Vendor Advisory x_refsource_misc
https://drupal.org/node/2059593
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2013/08/10/1
Scores
CVSS v3
8.8
EPSS
0.0205
EPSS Percentile
78.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-79
CWE-94
Status
published
Products (2)
restful_web_services_project/restful_web_services
7.x-2.x dev
restful_web_services_project/restful_web_services
7.x-1.0 - 7.x-1.4
Published
Feb 11, 2020
Tracked Since
Feb 18, 2026