Main Vulnerability Database Vulnerabilities #VU445

SQL Injection in Drupal - CVE-2014-3704

Published: September 14, 2016 / Updated: September 14, 2018

Vulnerability identifier: #VU445

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2014-3704

CWE-ID: CWE-564

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Drupal

Affected software:
Drupal

Detailed vulnerability description

The vulnerability allows an anonymous user to conduct a SQL injection attack.
The weakness exists in database abstraction API preventing the system from SQL injections. Sending of specially crafted request to API may lead to privilege escalation, arbitrary PHP execution, or other attacks such as SQL injection.
Successful exploitation of this vulnerability may allow an anonymous attacker to perorm SQL injection attack.

How to mitigate CVE-2014-3704

Update to 7.32.
https://www.drupal.org/drupal-7.32-release-notes

Sources

https://www.drupal.org/SA-CORE-2014-005

SQL Injection in Drupal - CVE-2014-3704

Detailed vulnerability description

How to mitigate CVE-2014-3704

Sources

Please verify you're human