Vulnerability Details : CVE-2013-1946
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache."
Vulnerability category: Input validationDenial of service
Products affected by CVE-2013-1946
- cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.1:*:*:*:*:*:*:*
- cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-1.2:*:*:*:*:*:*:*
- cpe:2.3:a:restful_web_services_project:restful_web_services:7.x-2.0:alpha3:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-1946
0.95%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-1946
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2013-1946
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-1946
-
https://drupal.org/node/1966780
SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service | Drupal.orgPatch;Vendor Advisory
-
https://drupal.org/node/1966758
Access to this page has been denied.Patch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2013/04/12/1
oss-security - Re: CVE request for Drupal contributed modules
-
https://drupal.org/node/1966752
restws 7.x-1.3 | Drupal.org
Jump to