Security Risk: 
Not Critical
SQL Injection
Affected Versions: 

CiviCRM v4.5.0 - v4.5.6

CiviCRM v4.4.0 - v4.4.12

(Older versions: Unassessed)


Fixed Versions: 

CiviCRM v4.5.7+, v4.4.13+


Publication Date: 
Wednesday, March 4, 2015

The backend CiviMail composition screen includes an input field which is passed to a SQL query without proper escaping.

An exploit of this vulnerability in CiviCRM has not been identified. Additional filters apply to the field which block a number of SQL control characters. Never-the-less, it could potentially be combined with other vulnerabilities, and we're issuing a patch as a precaution.

  • Stan Dragnev (RNAO)
  • Tim Otten (CiviCRM)