CVE-2014-3704
9.4 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
| CPE | Name | Operator | Version |
|---|---|---|---|
| drupal:drupal | drupal | lt | 7.32 |
| debian:debian_linux | debian debian linux | eq | 7.0 |
References
osvdb.org/show/osvdb/113371
packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html
packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html
packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html
seclists.org/fulldisclosure/2014/Oct/75
secunia.com/advisories/59972
www.debian.org/security/2014/dsa-3051
www.exploit-db.com/exploits/34984
www.exploit-db.com/exploits/34992
www.exploit-db.com/exploits/34993
www.exploit-db.com/exploits/35150
www.openwall.com/lists/oss-security/2014/10/15/23
www.securityfocus.com/archive/1/533706/100/0/threaded
www.securityfocus.com/bid/70595
www.drupal.org/SA-CORE-2014-005
www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html
Social References
More
Related
9.4 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%