| Vulnerability Name: | CVE-2014-3704 (CCN-97054) | ||||||||||||||||
| Assigned: | 2014-10-15 | ||||||||||||||||
| Published: | 2014-10-15 | ||||||||||||||||
| Updated: | 2021-09-29 | ||||||||||||||||
| Summary: | The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. | ||||||||||||||||
| CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P) 6.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)
6.2 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)
| ||||||||||||||||
| Vulnerability Type: | CWE-89 | ||||||||||||||||
| Vulnerability Consequences: | Data Manipulation | ||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2014-3704 Source: OSVDB Type: Broken Link 113371 Source: MISC Type: Exploit, Third Party Advisory, VDB Entry http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html Source: MISC Type: Exploit, Third Party Advisory, VDB Entry http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html Source: MISC Type: Exploit, Third Party Advisory, VDB Entry http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html Source: FULLDISC Type: Exploit, Mailing List, Patch, Third Party Advisory 20141016 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability Source: SECUNIA Type: Third Party Advisory 59972 Source: DEBIAN Type: Third Party Advisory DSA-3051 Source: EXPLOIT-DB Type: Exploit, Third Party Advisory, VDB Entry 34984 Source: EXPLOIT-DB Type: Exploit, Third Party Advisory, VDB Entry 34992 Source: EXPLOIT-DB Type: Exploit, Third Party Advisory, VDB Entry 34993 Source: EXPLOIT-DB Type: Exploit, Third Party Advisory, VDB Entry 35150 Source: MLIST Type: Exploit, Mailing List, Patch [oss-security] 20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability Source: BUGTRAQ Type: Third Party Advisory, VDB Entry 20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability Source: BID Type: Third Party Advisory, VDB Entry 70595 Source: CCN Type: BID-70595 Drupal Core CVE-2014-3704 SQL Injection Vulnerability Source: XF Type: UNKNOWN drupal-core-cve20143704-sql-injection(97054) Source: CCN Type: NMAP Web site File http-vuln-cve2014-3704 Source: CCN Type: Packet Storm Security [10-16-2014] Drupal 7.X SQL Injection Source: CCN Type: Packet Storm Security [10-17-2014] Drupal Core 7.32 SQL Injection Source: CCN Type: Packet Storm Security [10-18-2014] Drupal HTTP Parameter Key/Value SQL Injection Source: CCN Type: DRUPAL-SA-CORE-2014-005 Drupal core - SQL injection Source: CONFIRM Type: Patch, Vendor Advisory https://www.drupal.org/SA-CORE-2014-005 Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [10-16-2014] Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [10-17-2014] Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [11-03-2014] Source: MISC Type: Exploit, Patch, Third Party Advisory https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html Source: MISC Type: Exploit, Third Party Advisory https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html Source: CCN Type: WhiteSource Vulnerability Database CVE-2014-3704 | ||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||
| Oval Definitions | |||||||||||||||||
| |||||||||||||||||
| BACK | |||||||||||||||||