Security Risk: 
Not Critical
Vulnerability: 
SQL Injection
Affected Versions: 

CiviCRM v4.5.0 - v4.5.6

CiviCRM v4.4.0 - v4.4.12

(Older versions: Unassessed)

 

Fixed Versions: 

CiviCRM v4.5.7+, v4.4.13+

 

Publication Date: 
Wednesday, March 4, 2015
Description: 

The backend CiviMail composition screen includes an input field which is passed to a SQL query without proper escaping.

An exploit of this vulnerability in CiviCRM has not been identified. Additional filters apply to the field which block a number of SQL control characters. Never-the-less, it could potentially be combined with other vulnerabilities, and we're issuing a patch as a precaution.

Solutions: 
Credits: 
  • Stan Dragnev (RNAO)
  • Tim Otten (CiviCRM)