CIVI-SA-2015-005 - SQL Injection in CiviMail Backend

2015-03-04 12:15
Written by

The backend CiviMail composition screen includes an input field which is passed to a SQL query without proper escaping.

An exploit of this vulnerability in CiviCRM has not been identified. Additional filters apply to the field which block a number of SQL control characters. Never-the-less, it could potentially be combined with other vulnerabilities, and we're issuing a patch as a precaution.

Security Risk
Not Critical
SQL Injection
Affected Versions

CiviCRM v4.5.0 - v4.5.6

CiviCRM v4.4.0 - v4.4.12

(Older versions: Unassessed)


Fixed Versions

CiviCRM v4.5.7+, v4.4.13+


  • Stan Dragnev (RNAO)
  • Tim Otten (CiviCRM)