Drupal SQLi (Drupalgeddon) Vulnerability: CVE-2014-3704

by CIRT Team

Description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Impact: A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution or other attacks.

Mitigation: Vendor has released new version (upgrade to Drupal core 7.32)

Reference URL’s:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
• https://www.drupal.org/SA-CORE-2014-005
• https://blog.sucuri.net/2016/05/drupal-sqli-drupalgeddon-attack-trend-cve-2014-3704-sa-core-2014-005.html

CIRT Team

Recommended Posts

Situational Awareness for Eid-Ul-Fitr 2025 Holidays

27 Mar 2025 - Security Advisories & Alerts

Critical Vulnerability (CVE-2018-19410) Exposes 600 PRTG Instances in Bangladesh

18 Feb 2025 - Security Advisories & Alerts

Emerging Phishing Attack on Cyber Space of Bangladesh

12 Jan 2025 - Security Advisories & Alerts