Lucene search

PRIOn knowledge basePRION:CVE-2014-3704

HistoryOct 16, 2014 - 12:55 a.m.

Sql injection

2014-10-1600:55:00

PRIOn knowledge base

www.prio-n.com

8 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

JSON

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

CPENameOperatorVersion
debian_linuxeq7.0
drupalge7.0
drupallt7.32

Name	Operator	Version
debian_linux	eq	7.0
drupal	ge	7.0
drupal	lt	7.32

References

osvdb.org/show/osvdb/113371

packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html

packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html

packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html

seclists.org/fulldisclosure/2014/Oct/75

secunia.com/advisories/59972

www.debian.org/security/2014/dsa-3051

www.openwall.com/lists/oss-security/2014/10/15/23

www.securityfocus.com/archive/1/533706/100/0/threaded

www.securityfocus.com/bid/70595

www.drupal.org/SA-CORE-2014-005

www.exploit-db.com/exploits/34984

www.exploit-db.com/exploits/34992

www.exploit-db.com/exploits/34993

www.exploit-db.com/exploits/35150

www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html

8 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

JSON

Related for PRION:CVE-2014-3704