SQL Injection in Drupal Drupal
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2015-6665 |
| CWE-ID | CWE-564 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Drupal Web applications / CMS |
| Vendor | Drupal |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) SQL Injection
EUVDB-ID: #VU428
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-6665
CWE-ID:
CWE-564 - SQL Injection: Hibernate
Exploit availability: No
DescriptionThe vulnerability allows user with elevated permissions to get access to sensitive information.
The weakness exists due to SQL injection. The attacker inject specially crafted code inunsufficiently filtered SQL comments.
Successful exploitation of this vulnerability allows a malicious user to obtain potentially sensitive information.
Update to 7.39.
https://www.drupal.org/drupal-7.39-release-notes
Drupal: 7.1 - 7.38
CPE2.3
- cpe:2.3:a:drupal:drupal:7.13:*:*:*:*:*:*:*
- Full software list in CPE2.3 format available after registration.
http://www.drupal.org/SA-CORE-2015-003
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
