DRUPAL-CONTRIB-2024-018

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/rest_views/DRUPAL-CONTRIB-2024-018.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-018

Aliases

CVE-2024-13254

Published

2024-04-24T14:23:34Z

Modified

2025-12-10T23:41:31.465543Z

Summary

[none]

Details

The Rest views module lets site admins create rest exports in views with additional options for serializing data.

This module does not accurately check access and may expose paths to unpublished content.

This vulnerability is mitigated by the fact that there must be a specific content structure to expose.

Paths to unpublished entities (such as nodes) will be exposed if those entities are referenced from other entities listed in a REST display, and the reference field on those listed entities is displayed with the "Entity path" formatter.

References

https://www.drupal.org/sa-contrib-2024-018

Credits

- nicxvan
- - https://www.drupal.org/user/531480

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/rest_views

Package

Name: drupal/rest_views
Purl: pkg:composer/drupal/rest_views

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.0.1

Database specific

{
    "constraint": "<3.0.1"
}

Database specific

affected_versions

"<3.0.1"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/rest_views/DRUPAL-CONTRIB-2024-018.json"