Description

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Remediation

References

CVE-2014-3704

Related Vulnerabilities

PHP Address Book Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2012-1911)

WordPress Plugin JSM file_get_contents() Shortcode Server-Side Request Forgery (2.7.0)

WordPress Plugin Accept Donations with PayPal Cross-Site Request Forgery (1.3)

WordPress Plugin Recart-The New GhostMonitor Unspecified Vulnerability (1.5.0)

WordPress Plugin Apptivo eCommerce Multiple Cross-Site Scripting Vulnerabilities (1.1.5)

Severity

High

Classification

CVE-2014-3704 CWE-138

Tags

Missing Update Known Vulnerabilities