The Web Services module 6.x for Drupal does not perform the expected access control, which allows remote attackers to make unspecified use of an API via unknown vectors.
https://exchange.xforce.ibmcloud.com/vulnerabilities/54249
http://www.vupen.com/english/advisories/2009/3218