Security Risk: 
Moderately Critical
Vulnerability: 
SQL Injection
Affected Versions: 

All previous versions.

Fixed Versions: 
  • 4.2.13
  • 4.3.8
  • 4.4.1
Publication Date: 
Monday, November 4, 2013
Description: 

The CiviCRM API provides programmatic access to CiviCRM. Multiple APIs were vulnerable to SQL injection attacks.

The potential to exploit these vulnerabilities is limited by multiple factors:

  • An attacker must have either valid credentials or an ability to post malicious content on the target's domain.
  • An attacker must have an advanced permission -- "access CiviCRM" or "access AJAX API" -- in conjunction with access to specific APIs.
  • CiviCRM's mechanism for constructing SQL queries makes it difficult to construct a valid, meaningful exploit. (A meaningful exploit has not yet been identified, but this does not mean that an exploit is impossible.)
Solutions: 

Upgrade to one of the fixed versions.

Credits: 

Eileen McNaughton, Donald Lobo, Nicolas Ganivet, Coleman Watts

References: