The Drupal security team is reporting that versions of Drupal 7 prior to 7.32 are vulnerable to a “Highly Critical” SQL injection bug.
Version 7.32 of the content management system has been made available to address the bug, as the flaw could allow an attacker to exploit the vulnerability to achieve privilege escalation or execute arbitrary PHP code.
At the time that the vulnerability was disclosed, no known exploits were being used. The attack can be launched by an anonymous user, meaning that no social engineering or other work is necessary to allow for it. The bug is also designated CVE-2014-3704 and was found by Sektion Eins, a German PHP security firm.
VIEW FULL STORY