Description

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Remediation

References

CVE-2014-3704

Related Vulnerabilities

Drupal CVE-2022-25278 Vulnerability (CVE-2022-25278)

phpBB Improper Input Validation Vulnerability (CVE-2006-2220)

WordPress Plugin Listing, Classified Ads & Business Directory-uListing Cross-Site Request Forgery (2.0.8)

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-29051)

WordPress Multiple Cross-Site Scripting and SQL Injection Vulnerabilities (1.2.1 - 1.2.2)

Severity

High

Classification

CVE-2014-3704 CWE-138

Tags

Missing Update Known Vulnerabilities