← volver
CVE-2014-3704

CVE-2014-3704

EPSS 100.0%
Vexday Risk Score
60Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS EPSS 100.0%KEV nãoPoC públicaNuclei simMetasploit simPatch referenciado
Ciclo de vida
15 oct 2014Exploit Metasploit disponible
16 oct 2014Publicada en NVD
16 oct 2014PoC pública
Recomendación: Planificar corrección próxima — ya existe PoC pública.
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
Productos afectados
n/a · n/a
PoCs públicas encontradas17
githubgithub.com/happynote3966/CVE-2014-37041githubgithub.com/Neldeborg/Drupalgeddon-Python31githubgithub.com/AleDiBen/Drupalgeddon0githubgithub.com/joaomorenorf/CVE-2014-37040githubgithub.com/fbm31/Audit-BlackBox-Web-to-Root0cve_referencewww.exploit-db.com/exploits/34993no verificadocve_referencewww.exploit-db.com/exploits/35150no verificadoexploitdbwww.exploit-db.com/exploits/34992no verificadoexploitdbwww.exploit-db.com/exploits/44355no verificadoexploitdbwww.exploit-db.com/exploits/34984no verificadoexploitdbwww.exploit-db.com/exploits/34993no verificadocve_referencepacketstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.htmlno verificadoexploitdbwww.exploit-db.com/exploits/35150no verificadocve_referencepacketstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.htmlno verificadocve_referencepacketstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.htmlno verificadocve_referencewww.exploit-db.com/exploits/34984no verificadocve_referencewww.exploit-db.com/exploits/34992no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
http://osvdb.org/show/osvdb/113371http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.htmlhttp://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.htmlhttp://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Oct/75http://secunia.com/advisories/59972https://www.drupal.org/SA-CORE-2014-005https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.htmlhttps://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.htmlhttp://www.debian.org/security/2014/dsa-3051http://www.exploit-db.com/exploits/34984http://www.exploit-db.com/exploits/34992