CIVI-SA-2016-04: SQL injection in CiviCRM installer

Published
2016-02-02 02:17
Written by

The CiviCRM installer was potentially vulnerable to SQL injection.

 

Security Risk
Less Critical
Vulnerability
SQL Injection
Affected Versions
  • CiviCRM 4.6.14 and below OR CiviCRM 4.7.4 and below
Fixed Versions
  • CiviCRM 4.6.15 and above OR CiviCRM 4.7.5 and above
Solutions
  • Upgrade to CiviCRM 4.6.15 or later OR CiviCRM 4.7.5 or later.
Credits

This issue was responsibly disclosed to CiviCRM by the Hewlett-Packard Fortify Open Review Project. For more information about the Fortify Open Review project, visit https://hpfod.com/open-source-review-project

The fix was submitted by Pradeep Nayak of JMA Consulting.

The issue was resolved by Chris Burgess of Fuzion Aotearoa.

References
  • https://issues.civicrm.org/jira/browse/CRM-16617 (Restricted Access)
  • https://issues.civicrm.org/jira/browse/CRM-16801 (Restricted Access)