Recently, CVE-2014-3704 was in the news. This vulnerability allows attackers to execute SQLi without the need of being logged in. However, I've looked to the available exploits, and I found only exploits that make use of the login form. Does this mean that when the access to the log in field is restricted (IP white list), there is no risk (as long as they cannot access the log in form? Or is it possible to exploit this on a different Drupal component as well?
Some share of thoughts would be appreciated!