DRUPAL-CONTRIB-2018-021

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/jsonapi/DRUPAL-CONTRIB-2018-021.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2018-021

Published

2018-04-25T17:43:28Z

Modified

2025-12-10T23:32:54.107910Z

Summary

[none]

Details

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication.

This vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped.

References

https://www.drupal.org/sa-contrib-2018-021

Credits

- Mateu Aguiló Bosch (e0ipso)
- - https://www.drupal.org/user/550110

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/jsonapi

Package

Name: drupal/jsonapi
Purl: pkg:composer/drupal/jsonapi

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.16.0

Database specific

{
    "constraint": "<1.16.0"
}

Database specific

affected_versions

"<1.16.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/jsonapi/DRUPAL-CONTRIB-2018-021.json"