Vulnerability Details : CVE-2011-4113
SQL injection vulnerability in the Views module before 6.x-2.13 for Drupal allows remote attackers to execute arbitrary SQL commands via vectors related to "filters/arguments on certain types of views with specific configurations of arguments."
Vulnerability category: Sql Injection
Products affected by CVE-2011-4113
- cpe:2.3:a:earl_miles:views:*:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.1:beta:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.x:dev:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.5:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.6:beta:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.6:beta2:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.6:beta3:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.2:beta1:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.6:beta5:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.7:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.3:beta1:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.4-2:rc1:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.6:beta4:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.6:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.3:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.5:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.7:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.9:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.6:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.x:dev:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.8:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.4:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.10:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.2:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.1:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:6.x-2.11:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:5.x-1.8:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.6:beta5:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.6:beta3:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.2:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.1:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.6:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.4:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.3:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x1.5:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.6:beta2:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.6:beta:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:earl_miles:views:4.7.x-1.x:dev:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-4113
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-4113
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2011-4113
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-4113
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/71124
Views module for Drupal filters/arguments on views SQL injection CVE-2011-4113 Vulnerability Report
-
http://www.securityfocus.com/bid/50500
Drupal Views Module SQL Injection VulnerabilityPatch
-
http://www.openwall.com/lists/oss-security/2011/11/04/3
oss-security - Re: CVE Request -- Drupal (v6.x based) Views module - SQL injection due improper escaping of database parameters for certain filters / arguments (SA-CONTRIB-2011-052)
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069499.html
[SECURITY] Fedora 14 Update: drupal-views-6.x.2.13-1.fc14
-
http://drupal.org/node/1329898
SA-CONTRIB-2011-052 - Views SQL Injection | Drupal.orgPatch
-
http://drupal.org/node/1329842
Access to this page has been denied.Patch
Jump to