Full title: Drupal RESTful Web Services unserialize() Remote Code Execution Exploit 
Category: web applications
Platform: php
This Metasploit module exploits a PHP unserialize() vulnerability in Drupal RESTful Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST, PATCH, and PUT, but Ambionics discovered that GET was also vulnerable (albeit cached). Cached nodes can be exploited only once.

# 0day.today @ http://0day.today/