← voltar
CVE-2014-3704

CVE-2014-3704

EPSS 100.0%
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
Produtos afetados
n/a · n/a
PoCs públicas encontradas17
githubgithub.com/happynote3966/CVE-2014-37041githubgithub.com/Neldeborg/Drupalgeddon-Python31githubgithub.com/AleDiBen/Drupalgeddon0githubgithub.com/joaomorenorf/CVE-2014-37040githubgithub.com/fbm31/Audit-BlackBox-Web-to-Root0cve_referencewww.exploit-db.com/exploits/34993não verificadocve_referencewww.exploit-db.com/exploits/35150não verificadoexploitdbwww.exploit-db.com/exploits/34992não verificadoexploitdbwww.exploit-db.com/exploits/44355não verificadoexploitdbwww.exploit-db.com/exploits/34984não verificadoexploitdbwww.exploit-db.com/exploits/34993não verificadocve_referencepacketstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.htmlnão verificadoexploitdbwww.exploit-db.com/exploits/35150não verificadocve_referencepacketstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.htmlnão verificadocve_referencepacketstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.htmlnão verificadocve_referencewww.exploit-db.com/exploits/34984não verificadocve_referencewww.exploit-db.com/exploits/34992não verificado
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
http://osvdb.org/show/osvdb/113371http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.htmlhttp://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.htmlhttp://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Oct/75http://secunia.com/advisories/59972https://www.drupal.org/SA-CORE-2014-005https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.htmlhttps://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.htmlhttp://www.debian.org/security/2014/dsa-3051http://www.exploit-db.com/exploits/34984http://www.exploit-db.com/exploits/34992