Drupal core 7.x – versions of the content management platform prior to 7.32 – contain a highly critical SQL injection vulnerability, CVE-2014-3704, that can be exploited by anonymous users, according to a Wednesday post on the Drupal website.
“Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks,” according to the post. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.”
This can lead to various attacks, including privilege escalation and arbitrary PHP execution, the post indicates. Upgrading to Drupal core 7.32 will address the issue.
In a Wednesday post, Daniel Cid, CTO of Sucuri, wrote that proofs of concept are being shared on underground forums, and exploitation attempts could be imminent.
UPDATE: In a Thursday post, Steven Adair, founder of Volexity, wrote that the company has observed the vulnerability being actively exploited.