All previous versions.
The CiviCRM API provides programmatic access to CiviCRM. Multiple APIs were vulnerable to SQL injection attacks.
The potential to exploit these vulnerabilities is limited by multiple factors:
- An attacker must have either valid credentials or an ability to post malicious content on the target's domain.
- An attacker must have an advanced permission -- "access CiviCRM" or "access AJAX API" -- in conjunction with access to specific APIs.
- CiviCRM's mechanism for constructing SQL queries makes it difficult to construct a valid, meaningful exploit. (A meaningful exploit has not yet been identified, but this does not mean that an exploit is impossible.)
Upgrade to one of the fixed versions.
Eileen McNaughton, Donald Lobo, Nicolas Ganivet, Coleman Watts