CVE-2013-4225

The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the "access resource node" and "create page content" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field.

Published: Feb 11, 2020
Updated: Apr 13, 2023
CVE: CVE-2013-4225
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-94
CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
restful_web_services_project / restful_web_services	7.x-1.0	7.x-1.4
restful_web_services_project / restful_web_services	7.x-2.0	7.x-2.1
restful_web_services_project / restful_web_services	7.x-2.x-dev	7.x-2.x-dev.x

http://www.openwall.com/lists/oss-security/2013/08/10/1
https://drupal.org/node/2059591
https://drupal.org/node/2059593
https://drupal.org/node/2059603

Vulnerability Database

291,048

CVE-2013-4225