A malicious user can inject arbitrary SQL queries… A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.
Details
Drupal uses prepared statements in all its SQL queries.
To handle INstatements there is an expandArguments function to expand arrays.
The Problem occurs, if the array has keys, which are no integers.
Since Drupal uses PDO, multi-queries are allowed.
SektionEins has said that they cant reveal the PoC as they have been asked by Drupal not to.
source: www.techworm.net
