CVE-2014-3704

Currently unrated

Key Information:

Vendor: Drupal
Status: Drupal
Vendor: CVE Published:; 16 October 2014

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 97%

Summary

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Metasploit exploit module for CVE-2014-3704
Created by Rapid7

CVE-2014-3704
Created by happynote3966

CVE-2014-3704
Created by joaomorenorf

References

https://www.drupal.org/SA-CORE-2014-005

x_refsource_CONFIRM

http://seclists.org/fulldisclosure/2014/Oct/75

mailing-listx_refsource_FULLDISC

http://www.securityfocus.com/archive/1/533706/100/0/threaded

mailing-listx_refsource_BUGTRAQ

EPSS Score

97% chance of being exploited in the next 30 days.

Timeline

🟡
Public PoC available
Oct 18, 2022
👾
Exploit known to exist
Oct 18, 2022
Vulnerability published
Oct 16, 2014
Vulnerability Reserved
May 14, 2014