Main Vulnerability Database Vulnerabilities #VU445

#VU445 SQL Injection in Drupal - CVE-2014-3704

Published: September 14, 2016 / Updated: September 14, 2018

Vulnerability identifier: #VU445

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2014-3704

CWE-ID: CWE-564

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
Drupal

Software vendor:
Drupal

Description

The vulnerability allows an anonymous user to conduct a SQL injection attack.
The weakness exists in database abstraction API preventing the system from SQL injections. Sending of specially crafted request to API may lead to privilege escalation, arbitrary PHP execution, or other attacks such as SQL injection.
Successful exploitation of this vulnerability may allow an anonymous attacker to perorm SQL injection attack.

Remediation

Update to 7.32.
https://www.drupal.org/drupal-7.32-release-notes

External links

https://www.drupal.org/SA-CORE-2014-005

#VU445 SQL Injection in Drupal - CVE-2014-3704

Description

Remediation

External links

Please verify you're human