CVE-2014-3704 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2014-3704

CVE-2014-3704

Published:October 16, 2014

Updated:May 14, 2026

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Related Resources (18)

http://www.exploit-db.com/exploits/34984

http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html

https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html

http://www.exploit-db.com/exploits/35150

http://www.exploit-db.com/exploits/34993

http://osvdb.org/show/osvdb/113371

http://www.exploit-db.com/exploits/34992

http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html

http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html

http://www.openwall.com/lists/oss-security/2014/10/15/23

https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

http://www.debian.org/security/2014/dsa-3051

https://people.canonical.com/~ubuntu-security/cve/CVE-2014-3704

http://seclists.org/fulldisclosure/2014/Oct/75

http://www.securityfocus.com/bid/70595

http://www.securityfocus.com/archive/1/533706/100/0/threaded

https://www.drupal.org/SA-CORE-2014-005

http://secunia.com/advisories/59972

Do you need more information?

CVSS v3

Base Score:

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Exploit Maturity

FUNCTIONAL

CVSS v2

Base Score:

7.5

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

EPSS

Base Score:

94.22