CIVI-SA-2013-010 - SQL Injection by Permissioned Users

2013-11-04 16:54
Written by

The CiviCRM API provides programmatic access to CiviCRM. Multiple APIs were vulnerable to SQL injection attacks.

The potential to exploit these vulnerabilities is limited by multiple factors:

  • An attacker must have either valid credentials or an ability to post malicious content on the target's domain.
  • An attacker must have an advanced permission -- "access CiviCRM" or "access AJAX API" -- in conjunction with access to specific APIs.
  • CiviCRM's mechanism for constructing SQL queries makes it difficult to construct a valid, meaningful exploit. (A meaningful exploit has not yet been identified, but this does not mean that an exploit is impossible.)
Security Risk
Moderately Critical
SQL Injection
Affected Versions

All previous versions.

Fixed Versions
  • 4.2.13
  • 4.3.8
  • 4.4.1

Upgrade to one of the fixed versions.


Eileen McNaughton, Donald Lobo, Nicolas Ganivet, Coleman Watts