#VU428 SQL Injection in Drupal
Vulnerability identifier: #VU428
Vulnerability risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-564
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Drupal
Web applications /
CMS
Vendor: Drupal
Description
The vulnerability allows user with elevated permissions to get access to sensitive information.
The weakness exists due to SQL injection. The attacker inject specially crafted code inunsufficiently filtered SQL comments.
Successful exploitation of this vulnerability allows a malicious user to obtain potentially sensitive information.
Mitigation
Update to 7.39.
https://www.drupal.org/drupal-7.39-release-notes
Vulnerable software versions
Drupal: 7.1 - 7.38
External links
http://www.drupal.org/SA-CORE-2015-003
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
