The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x prior to 7.x-1.4 does not properly escape certain characters, which allows remote malicious users to execute arbitrary SQL commands via vectors involving a module using the db_like function.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
drupal 7 driver for sql server and sql azure project drupal 7 driver for sql server and sql azure 7.x-1.0 |
||
drupal 7 driver for sql server and sql azure project drupal 7 driver for sql server and sql azure 7.x-1.1 |
||
drupal 7 driver for sql server and sql azure project drupal 7 driver for sql server and sql azure 7.x-1.2 |
||
drupal 7 driver for sql server and sql azure project drupal 7 driver for sql server and sql azure 7.x-1.3 |