More than 19 months after it was patched by Drupal developers, a critical SQL injection vulnerability in the popular content management system is still being exploited by malicious actors to hack websites.
The vulnerability in question, tracked as CVE-2014-3704 and dubbed by researchers “Drupalgeddon,” is related to a database abstraction API used in Drupal 7. The flaw allows attackers to execute arbitrary SQL queries, which can lead to privilege escalation or code execution. A patch was released on October 15, 2014.
Leave a reply