Description
Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1) taxonomy_menu, (2) ajaxLoader, and (3) ubrowser contributed modules.
References (11)
Core 11
Core References
Patch x_refsource_confirm
http://sourceforge.net/project/shownotes.php?release_id=559532
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/26735
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27932
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00190.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27973
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27951
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/38884
Patch x_refsource_confirm
http://sourceforge.net/project/shownotes.php?release_id=559538
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/38886
Various Sources x_refsource_confirm
http://drupal.org/node/198162
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00258.html
Scores
EPSS
0.0171
EPSS Percentile
82.6%
Details
CWE
CWE-20
CWE-89
Status
published
Products (43)
drupal/drupal
4.0.0
drupal/drupal
4.1.0
drupal/drupal
4.2.0_rc
drupal/drupal
4.4.0
drupal/drupal
4.4.1
drupal/drupal
4.4.2
drupal/drupal
4.4.3
drupal/drupal
4.5
drupal/drupal
4.5.1
drupal/drupal
4.5.2
... and 33 more
Published
Dec 10, 2007
Tracked Since
Feb 18, 2026