Description

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Remediation

References

CVE-2014-3704

Related Vulnerabilities

WordPress Plugin Import any XML or CSV File to WordPress Arbitrary File Upload (3.6.7)

PHP Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2014-5459)

WordPress Plugin DMCA WaterMarker Cross-Site Scripting (1.0)

Dolibarr Improper Input Validation Vulnerability (CVE-2013-2093)

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-26594)

Severity

High

Classification

CVE-2014-3704 CWE-138

Tags

Missing Update Known Vulnerabilities