The backend CiviMail composition screen includes an input field which is passed to a SQL query without proper escaping.
An exploit of this vulnerability in CiviCRM has not been identified. Additional filters apply to the field which block a number of SQL control characters. Never-the-less, it could potentially be combined with other vulnerabilities, and we're issuing a patch as a precaution.
CiviCRM v4.5.0 - v4.5.6
CiviCRM v4.4.0 - v4.4.12
(Older versions: Unassessed)
CiviCRM v4.5.7+, v4.4.13+
- Upgrade to CiviCRM v4.5.7+, v4.4.13+,
- Apply https://github.com/civicrm/civicrm-core/pull/5281
- Stan Dragnev (RNAO)
- Tim Otten (CiviCRM)