{"id":"DRUPAL-CONTRIB-2018-021","details":"This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.\n\nThe module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication.\n\nThis vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped.","modified":"2025-12-10T23:32:54.107910Z","published":"2018-04-25T17:43:28Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-contrib-2018-021"}],"affected":[{"package":{"name":"drupal/jsonapi","ecosystem":"Packagist:https://packages.drupal.org/8","purl":"pkg:composer/drupal/jsonapi"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.16.0"}],"database_specific":{"constraint":"\u003c1.16.0"}}],"database_specific":{"affected_versions":"\u003c1.16.0","source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/jsonapi/DRUPAL-CONTRIB-2018-021.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mateu Aguiló Bosch (e0ipso)","contact":["https://www.drupal.org/user/550110"]}]}