#VU428 SQL Injection


Published: 2016-09-14

Vulnerability identifier: #VU428

Vulnerability risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-6665

CWE-ID: CWE-564

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description
The vulnerability allows user with elevated permissions to get access to sensitive information.
The weakness exists due to SQL injection. The attacker inject specially crafted code inunsufficiently filtered SQL comments.
Successful exploitation of this vulnerability allows a malicious user to obtain potentially sensitive information.

Mitigation
Update to 7.39.
https://www.drupal.org/drupal-7.39-release-notes

Vulnerable software versions

Drupal: 7.1 - 7.38


CPE

External links
http://www.drupal.org/SA-CORE-2015-003


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability