Geolocation Field
Monthly
SQL injection in the Drupal Geolocation Field contributed module exposes sites to unauthenticated database read and partial write access across all module versions prior to 3.15.0. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the attack requires no authentication and no user interaction, making it remotely triggerable against any publicly reachable Drupal installation running the affected module. Impact is bounded by C:L/I:L/A:N - partial data disclosure and modification without availability disruption or full database takeover. No active exploitation has been confirmed (no CISA KEV listing), and EPSS sits at a low 0.16% (5th percentile), indicating minimal current attacker interest. A vendor patch is available.
SQL injection in the Drupal Geolocation Field contributed module exposes sites to unauthenticated database read and partial write access across all module versions prior to 3.15.0. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the attack requires no authentication and no user interaction, making it remotely triggerable against any publicly reachable Drupal installation running the affected module. Impact is bounded by C:L/I:L/A:N - partial data disclosure and modification without availability disruption or full database takeover. No active exploitation has been confirmed (no CISA KEV listing), and EPSS sits at a low 0.16% (5th percentile), indicating minimal current attacker interest. A vendor patch is available.