Drupal Services Module SQL Injection Vulnerability

The Services Module for Drupal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Drupal Services 7.x-3.x versions prior to 7.x-3.20

Information

Bugtraq ID: 99318
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Jun 28 2017 12:00AM
Updated: Jun 28 2017 12:00AM
Credit: John Morahan
Vulnerable: Drupal Services 7.x-3.9
Drupal Services 7.X-3.8
Drupal Services 7.x-3.7
Drupal Services 7.x-3.6
Drupal Services 7.x-3.5
Drupal Services 7.x-3.4
Drupal Services 7.x-3.3
Drupal Services 7.x-3.2
Drupal Services 7.x-3.19
Drupal Services 7.x-3.18
Drupal Services 7.x-3.12
Drupal Services 7.X-3.11
Drupal Services 7.x-3.10
Drupal Services 7.x-3.1
Drupal Services 7.x-3.0

Not Vulnerable:

Exploit

Attackers can use a browser to exploit this issue.

References:

• Drupal Homepage (Drupal)
  
• Services - Critical - SQL Injection - SA-CONTRIB-2017-054 (Drupal)
  

Source: www.securityfocus.com