CVE-2014-3704

CVE Database · CVE-2014-3704

CVE-2014-3704

· N/AModified

CVSS v3.1

N/A

EPSS

99.97%

Published

Oct 15, 2014

Modified

May 6, 2026

Public PoC / Exploit (7)

All weaponized →

Exploit-DBDrupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)Exploit-DBDrupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)Exploit-DBDrupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)Exploit-DBDrupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)Exploit-DBDrupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Weaknesses (CWE)

CWE-89

Affected Products (2)

drupal · drupal (up to 7.32)vulnerable

debian · debian_linuxvulnerable

References (20)

http://osvdb.org/show/osvdb/113371

Broken Link

http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2014/Oct/75

Exploit

KEV Catalog EPSS Scores Vendors All CVEs