The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

The version of Drupal running on the remote web server is affected by a remote code execution vulnerability in the Coder module, specifically in file coder_upgrade.run.php, due to improper validation of user-supplied input to the unserialize() function. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary PHP code.

The remote web server is running a version of Drupal that is affected by a SQL injection vulnerability due to a flaw in the Drupal database abstraction API, which allows a remote attacker to use specially crafted requests that can result in arbitrary SQL execution. This may lead to privilege escalation, arbitrary PHP execution, or remote code execution.

Updated drupal packages fix security vulnerabilities :

An information disclosure vulnerability was discovered in Drupal before 7.27. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time (CVE-2014-2983).

Multiple security issues in Drupal before 7.29, including a denial of service issue, an access bypass issue in the File module, and multiple cross-site scripting issues (CVE-2014-5019, CVE-2014-5020, CVE-2014-5021, CVE-2014-5022).

A denial of service issue exists in Drupal before 7.31, due to XML entity expansion in a publicly accessible XML-RPC endpoint.

A SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries, and thereby completely control the Drupal site.
This vulnerability can be exploited by remote attackers without any kind of authentication required (CVE-2014-3704).

Aaron Averill discovered that a specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session (CVE-2014-9015).

Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service) (CVE-2014-9016). anonymous users (CVE-2014-9016).

Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password (CVE-2015-2559).

Under certain circumstances, malicious users can construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities (CVE-2015-2749, CVE-2015-2750).

The drupal package has been updated to version 7.35 to fix this issue and other bugs. See the upstream advisory and release notes for more details.

Update to upstream 7.32 security release for SA-CORE-2014-005, CVE-2014-3704

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to upstream 7.32 security release for SA-CORE-2014-005, CVE-2014-3407

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Drupal Security Team reports :

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.
Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.

Stefan Horst discovered a vulnerability in the Drupal database abstraction API, which may result in SQL injection.

The remote web server is running a version of Drupal that is 7.x prior to 7.32. It is, therefore, potentially affected by a SQL injection vulnerability due to a flaw in the Drupal database abstraction API, which allows a remote attacker to use specially crafted requests that can result in arbitrary SQL execution. This may lead to privilege escalation, arbitrary PHP execution, or remote code execution.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
98221	Drupal Coder Module Deserialization RCE	Web App Scanning	Component Vulnerability	critical
98220	Drupal Database Abstraction API SQLi	Web App Scanning	Component Vulnerability	critical
82456	Mandriva Linux Security Advisory : drupal (MDVSA-2015:181)	Nessus	Mandriva Local Security Checks	high
78795	Fedora 21 : drupal7-7.32-1.fc21 (2014-12934)	Nessus	Fedora Local Security Checks	high
78710	Fedora 19 : drupal7-7.32-1.fc19 (2014-13053)	Nessus	Fedora Local Security Checks	high
78707	Fedora 20 : drupal7-7.32-1.fc20 (2014-13030)	Nessus	Fedora Local Security Checks	high
78521	FreeBSD : drupal7 -- SQL injection (6f825fa4-5560-11e4-a4c3-00a0986f28c4)	Nessus	FreeBSD Local Security Checks	high
78518	Debian DSA-3051-1 : drupal7 - security update	Nessus	Debian Local Security Checks	high
78515	Drupal Database Abstraction API SQLi	Nessus	CGI abuses	high
78511	Drupal 7.x < 7.32 SQLi	Nessus	CGI abuses	high

Detections

Analytics

CVE-2014-3704

critical

Tenable Plugins

critical

critical

high

high

high

high

high

high

high

high