FreeBSD : drupal -- SQL injection vulnerability (fa708908-a8c7-11dc-b41d-000fb5066b20)
High Nessus Plugin ID 29690
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionThe Drupal Project reports :
The function taxonomy_select_nodes() directly injects variables into SQL queries instead of using placeholders. While taxonomy module itself validates the input passed to taxonomy_select_nodes(), this is a weakness in Drupal core. Several contributed modules, such as taxonomy_menu, ajaxLoader, and ubrowser, directly pass user input to taxonomy_select_nodes(), enabling SQL injection attacks by anonymous users.
SolutionUpdate the affected packages.