← volver
CVE-2014-3704

CVE-2014-3704

EPSS 100.0%
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
Productos afectados
n/a · n/a
PoCs públicas encontradas17
githubgithub.com/happynote3966/CVE-2014-37041githubgithub.com/Neldeborg/Drupalgeddon-Python31githubgithub.com/AleDiBen/Drupalgeddon0githubgithub.com/joaomorenorf/CVE-2014-37040githubgithub.com/fbm31/Audit-BlackBox-Web-to-Root0cve_referencewww.exploit-db.com/exploits/34993no verificadocve_referencewww.exploit-db.com/exploits/35150no verificadoexploitdbwww.exploit-db.com/exploits/34992no verificadoexploitdbwww.exploit-db.com/exploits/44355no verificadoexploitdbwww.exploit-db.com/exploits/34984no verificadoexploitdbwww.exploit-db.com/exploits/34993no verificadocve_referencepacketstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.htmlno verificadoexploitdbwww.exploit-db.com/exploits/35150no verificadocve_referencepacketstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.htmlno verificadocve_referencepacketstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.htmlno verificadocve_referencewww.exploit-db.com/exploits/34984no verificadocve_referencewww.exploit-db.com/exploits/34992no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
http://osvdb.org/show/osvdb/113371http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.htmlhttp://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.htmlhttp://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Oct/75http://secunia.com/advisories/59972https://www.drupal.org/SA-CORE-2014-005https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.htmlhttps://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.htmlhttp://www.debian.org/security/2014/dsa-3051http://www.exploit-db.com/exploits/34984http://www.exploit-db.com/exploits/34992