[HUB] SA-CORE-2014-005: Drupal core - SQL injection

Refers to:

  • Plesk

Created:

2016-11-16 13:14:19 UTC

Modified:

2016-12-21 20:15:37 UTC

0

Was this article helpful?


Have more questions?

Submit a request

[HUB] SA-CORE-2014-005: Drupal core - SQL injection

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 were detected.

Situation

  • 15th of October Drupal announced highly critical security vulnerability SA-CORE-2014-005 in API for all 7.x versions 7.x versions prior to 7.32: https://www.drupal.org/SA-CORE-2014-005

  • 29th of October Drupal also issued Security Advisory PSA-2014-003 with recommendation to recover all potentially sites from backup unless patch was applied within hours of the announcement of SA-CORE-2014-005: https://www.drupal.org/PSA-2014-003

Impact

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

Solution

Drupal as an APS package is available for installation using following Parallels products, here is the list of articles which you may refer to

Parallels takes the security of our customers very seriously and encourages you to take the recommended actions as soon as possible.

We also strongly encourage you to stay connected to Parallels for important product-related information via these methods:

Have more questions? Submit a request
Please sign in to leave a comment.