SQL Injection in Drupal Drupal



Published: 2015-08-24 | Updated: 2016-09-14
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2015-6665
CWE-ID CWE-564
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Drupal
Web applications / CMS

Vendor Drupal

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) SQL Injection

EUVDB-ID: #VU428

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-6665

CWE-ID: CWE-564 - SQL Injection: Hibernate

Exploit availability: No

Description

The vulnerability allows user with elevated permissions to get access to sensitive information.
The weakness exists due to SQL injection. The attacker inject specially crafted code inunsufficiently filtered SQL comments.
Successful exploitation of this vulnerability allows a malicious user to obtain potentially sensitive information.

Mitigation

Update to 7.39.
https://www.drupal.org/drupal-7.39-release-notes

Vulnerable software versions

Drupal: 7.1 - 7.38


CPE2.3 External links

http://www.drupal.org/SA-CORE-2015-003

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###