CIVI-SA-2015-009: Incorrect escaping of user input

Published

2015-09-27 19:26

Written by

There was a bug in one of CiviCRM's internal type checks which may allow inappropriate user input to be saved to the database and/or displayed.

This was a general weakness in one of CiviCRM's security layers; no specific exploits of this have been identified. This type of vulnerability could potentially allow attackers to save malicious content to the database or display it to site users.

Security Risk

Critical

Vulnerability

Cross Site Scripting

SQL Injection

Affected Versions

4.5 - 4.6.8

Fixed Versions

4.6.9

Solutions

If you are using CiviCRM 4.5+, upgrade to the latest version.

Note that this bug did not affect the 4.4 LTS series.

Credits

Coleman Watts of the CiviCRM core team

References

https://issues.civicrm.org/jira/browse/CRM-17291

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2015-009: Incorrect escaping of user input

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2015-009: Incorrect escaping of user input

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM