FreeBSD : drupal7 -- SQL injection (6f825fa4-5560-11e4-a4c3-00a0986f28c4)

High Nessus Plugin ID 78521


The remote FreeBSD host is missing a security-related update.


Drupal Security Team reports :

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.
Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.


Update the affected package.

See Also

Plugin Details

Severity: High

ID: 78521

File Name: freebsd_pkg_6f825fa4556011e4a4c300a0986f28c4.nasl

Version: $Revision: 1.9 $

Type: local

Published: 2014/10/17

Modified: 2015/11/16

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:drupal7, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/10/16

Vulnerability Publication Date: 2014/10/15

Exploitable With


Core Impact

Metasploit (Drupal HTTP Parameter Key/Value SQL Injection)

Elliot (Drupal core 7.x SQL Injection)

Reference Information

CVE: CVE-2014-3704