Drupal Database Abstraction API SQLi

High Web Application Scanning Plugin ID 98220

Synopsis

Drupal Database Abstraction API SQLi

Description

The remote web server is running a version of Drupal that is affected by a SQL injection vulnerability due to a flaw in the Drupal database abstraction API, which allows a remote attacker to use specially crafted requests that can result in arbitrary SQL execution. This may lead to privilege escalation, arbitrary PHP execution, or remote code
execution.

Solution

Upgrade to Drupal core version 7.32

See Also

https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql

Plugin Details

Severity: High

ID: 98220

Type: remote

Published: 2018/06/19

Updated: 2018/06/19

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

Exploit Available: true

Patch Publication Date: 2014/10/15

Vulnerability Publication Date: 2014/10/15

Reference Information

CVE: CVE-2014-3704

BID: 70595