FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

drupal7 -- SQL injection

Affected packages
drupal7 < 7.32

Details

VuXML ID 6f825fa4-5560-11e4-a4c3-00a0986f28c4
Discovery 2014-10-15
Entry 2014-10-16

Drupal Security Team reports:

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.

References

CVE Name CVE-2014-3704
URL https://www.drupal.org/SA-CORE-2014-005
URL https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html