Drupal Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2014-3704)

Description

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Remediation

References

CVE-2014-3704

Related Vulnerabilities

WordPress Plugin WP AmASIN-The Amazon Affiliate Shop Directory Traversal (0.9.6)

Ruby Cryptographic Issues Vulnerability (CVE-2013-4363)

ZenCart Improper Authentication Vulnerability (CVE-2009-2255)

WordPress Plugin HDW Player (Video Player & Video Gallery) SQL Injection (2.4.2)

WordPress Plugin WordPress Backup and Migrate-Backup Guard Multiple Unspecified Vulnerabilities (1.1.29)

Severity

High

Classification

CVE-2014-3704 CWE-138