7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
The expandArguments function in the database abstraction API in Drupal core
7.x before 7.32 does not properly construct prepared statements, which
allows remote attackers to conduct SQL injection attacks via an array
containing crafted keys.
www.openwall.com/lists/oss-security/2014/10/15/23
launchpad.net/bugs/cve/CVE-2014-3704
nvd.nist.gov/vuln/detail/CVE-2014-3704
security-tracker.debian.org/tracker/CVE-2014-3704
www.cve.org/CVERecord?id=CVE-2014-3704
www.drupal.org/SA-CORE-2014-005
www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html