CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
100.0%
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
Vendor | Product | Version | CPE |
---|---|---|---|
drupal | drupal | * | cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* |
debian | debian_linux | 7.0 | cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* |
osvdb.org/show/osvdb/113371
packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html
packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html
packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html
seclists.org/fulldisclosure/2014/Oct/75
secunia.com/advisories/59972
www.debian.org/security/2014/dsa-3051
www.exploit-db.com/exploits/34984
www.exploit-db.com/exploits/34992
www.exploit-db.com/exploits/34993
www.exploit-db.com/exploits/35150
www.openwall.com/lists/oss-security/2014/10/15/23
www.securityfocus.com/archive/1/533706/100/0/threaded
www.securityfocus.com/bid/70595
www.drupal.org/SA-CORE-2014-005
www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html