Vulnerability CVE-2014-3704

Vulnerability CVE-2014-3704

Published: 2014-10-15 Modified: 2014-10-16

Description:

	Topic	Author	Date
High	Drupal HTTP Parameter Key/Value SQL Injection	Brandon	18.10.2014
Med.	Drupal < 7.32 Pre Auth SQL Injection Vulnerability	Stefan	04.11.2014

Type:

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS Base Score	Impact Subscore	Exploitability Subscore
7.5/10	6.4/10	10/10

Affected software
Drupal -> Drupal core

http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html

http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html

http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html

http://seclists.org/fulldisclosure/2014/Oct/75

http://www.debian.org/security/2014/dsa-3051

http://www.exploit-db.com/exploits/34984

http://www.exploit-db.com/exploits/34992

http://www.exploit-db.com/exploits/34993

http://www.exploit-db.com/exploits/35150

http://www.openwall.com/lists/oss-security/2014/10/15/23

http://www.securityfocus.com/archive/1/533706/100/0/threaded

http://www.securityfocus.com/bid/70595

https://www.drupal.org/SA-CORE-2014-005

https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html