Vulnerability Description
The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands via vectors involving a module using the db_like function.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Drupal 7 Driver For Sql Server And Sql Azure Project | Drupal 7 Driver For Sql Server And Sql Azure | 7.x-1.0 |
Related Weaknesses (CWE)
References
- http://cgit.drupalcode.org/sqlsrv/commit/?id=2ea0da8
- https://www.drupal.org/node/2569003Patch
- https://www.drupal.org/node/2569005Patch
- https://www.drupal.org/node/2569577Patch
- http://cgit.drupalcode.org/sqlsrv/commit/?id=2ea0da8
- https://www.drupal.org/node/2569003Patch
- https://www.drupal.org/node/2569005Patch
- https://www.drupal.org/node/2569577Patch
FAQ
What is CVE-2015-7876?
CVE-2015-7876 is a vulnerability with a CVSS score of 7.5 (HIGH). The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to ...
How severe is CVE-2015-7876?
CVE-2015-7876 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-7876?
Check the references section above for vendor advisories and patch information. Affected products include: Drupal 7 Driver For Sql Server And Sql Azure Project Drupal 7 Driver For Sql Server And Sql Azure.