CVE-2014-3704 Information

Feb 14, 2021 cve

Description

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Reference

http://osvdb.org/show/osvdb/113371 http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Oct/75 http://secunia.com/advisories/59972 http://www.debian.org/security/2014/dsa-3051 http://www.exploit-db.com/exploits/34984 http://www.exploit-db.com/exploits/34992 http://www.exploit-db.com/exploits/34993 http://www.exploit-db.com/exploits/35150 http://www.openwall.com/lists/oss-security/2014/10/15/23 http://www.securityfocus.com/archive/1/533706/100/0/threaded http://www.securityfocus.com/bid/70595 https://www.drupal.org/SA-CORE-2014-005 https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html

Share on: