Security Risk: 
Less Critical
SQL Injection
Affected Versions: 
  • CiviCRM 4.6.14 and below OR CiviCRM 4.7.4 and below
Fixed Versions: 
  • CiviCRM 4.6.15 and above OR CiviCRM 4.7.5 and above
Publication Date: 
Wednesday, September 7, 2016

The CiviCRM installer was potentially vulnerable to SQL injection.


  • Upgrade to CiviCRM 4.6.15 or later OR CiviCRM 4.7.5 or later.

This issue was responsibly disclosed to CiviCRM by the Hewlett-Packard Fortify Open Review Project. For more information about the Fortify Open Review project, visit

The fix was submitted by Pradeep Nayak of JMA Consulting.

The issue was resolved by Chris Burgess of Fuzion Aotearoa.