Project: Services
Version: 7.x-3.x-dev
Date: 2019-February-27
Security risk: Critical 19∕25 AC:None/A:None/CI:All/II:Some/E:Theoretical/TD:Default
Vulnerability: SQL Injection
Description: This module provides a standardized solution for building API's so that external clients can communicate with Drupal.
The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks.
This vulnerability is mitigated by the fact that the Drupal 7 site must have an "index" resource(s) enabled under the Services endpoint configuration (admin/structure/services/list/MY-ENDPOINT/resources) and an attacker must know the endpoint's machine name.
Install the 7.x-3.22 version of the Services module for the fix, or simply disable any "index" resources to stop the attack vector.
Release notes
Issue #2921517: Wrong version is applied to the controller by bceyssens: Wrong version is applied to the controller
Issue #2990684: Spelling fix by prashantgajare: Spelling fix
Issue #3021482: Several instances of "based" misspelled "baed" by govind.maloo, jacob.embree: Several instances of "based" misspelled "baed"
Issue #3027087: Pull in upstream changes to curlExec() by jacob.embree: Pull in upstream changes to curlExec()
https://www.drupal.org/sa-contrib-2019-026
Project: Services Version: 7.x-3.x-dev Date: 2019-February-27 Security risk: Critical 19∕25 AC:None/A:None/CI:All/II:Some/E:Theoretical/TD:Default Vulnerability: SQL Injection Description: This module provides a standardized solution for building API's so that external clients can communicate with Drupal.
The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks.
This vulnerability is mitigated by the fact that the Drupal 7 site must have an "index" resource(s) enabled under the Services endpoint configuration (admin/structure/services/list/MY-ENDPOINT/resources) and an attacker must know the endpoint's machine name.
Install the 7.x-3.22 version of the Services module for the fix, or simply disable any "index" resources to stop the attack vector.
https://www.drupal.org/project/services/releases/7.x-3.23
Release notes
3036235: update fails on php 5.3.3
https://www.drupal.org/project/services/releases/7.x-3.22
Release notes
3032593: Cannot change user password
3032595: Unwanted hash mark properties passed on user update
3032597: Old node should not be passed though form_state on node update
Issue by samuel.mortenson: Validate index resource parameters Services - Critical - SQL Injection - SA-CONTRIB-2019-026
https://www.drupal.org/project/services/releases/7.x-3.21
Release notes Issue #2921517: Wrong version is applied to the controller by bceyssens: Wrong version is applied to the controller Issue #2990684: Spelling fix by prashantgajare: Spelling fix Issue #3021482: Several instances of "based" misspelled "baed" by govind.maloo, jacob.embree: Several instances of "based" misspelled "baed" Issue #3027087: Pull in upstream changes to curlExec() by jacob.embree: Pull in upstream changes to curlExec()