
<div dir="ltr"><br><div class="gmail_quote">View online: <a href="https://www.drupal.org/sa-contrib-2020-022" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2020-022</a><br>

<br>

Project: Services [1]<br>

Version: 7.x-3.x-dev<br>

Date: 2020-June-03<br>

Security risk: *Moderately critical* 11∕25<br>

AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]<br>

Vulnerability: Access bypass<br>

<br>

Description: <br>

This module provides a standardized solution for building API's so that<br>

external clients can communicate with Drupal.<br>

<br>

The module's taxonomy term index resource doesn't take into consideration<br>

certain access control tags provided (but unused) by core, that certain<br>

contrib modules depend on.<br>

<br>

This vulnerability is mitigated by the fact your site must have the taxonomy<br>

term index resource enabled, your site must have a contributed module enabled<br>

which utilizes taxonomy term access control, and an attacker must know your<br>

api endpoint's path.<br>

<br>

Solution: <br>

Install the latest version:<br>

<br>

   * If you use the Services module for Drupal 7.x, upgrade to Services<br>

     7.x-3.26 [3]<br>

<br>

Also see the Services [4] project page.<br>

<br>

Reported By: <br>

   * Vadym Abramchuk  [5]<br>

<br>

Fixed By: <br>

   * Vadym Abramchuk  [6]<br>

   * Tyler Frankenstein  [7]<br>

<br>

Coordinated By: <br>

   * Greg Knaddison [8] of the Drupal Security Team<br>

<br>

<br>

[1] <a href="https://www.drupal.org/project/services" rel="noreferrer" target="_blank">https://www.drupal.org/project/services</a><br>

[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>

[3] <a href="https://www.drupal.org/node/3144924" rel="noreferrer" target="_blank">https://www.drupal.org/node/3144924</a><br>

[4] <a href="https://www.drupal.org/project/services" rel="noreferrer" target="_blank">https://www.drupal.org/project/services</a><br>

[5] <a href="https://www.drupal.org/user/3216035" rel="noreferrer" target="_blank">https://www.drupal.org/user/3216035</a><br>

[6] <a href="https://www.drupal.org/user/3216035" rel="noreferrer" target="_blank">https://www.drupal.org/user/3216035</a><br>

[7] <a href="https://www.drupal.org/user/150680" rel="noreferrer" target="_blank">https://www.drupal.org/user/150680</a><br>

[8] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>

<br>

_______________________________________________<br>

Security-news mailing list<br>

<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>

Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a></div><div class="gmail_quote"><br></div><div class="gmail_quote"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div>

</div></div>