Security Risk: 
Moderately Critical
SQL Injection
Affected Versions: 

Up to v4.7.6 and v4.6.15.

Fixed Versions: 

v4.7.7+ and v4.6.16+

Publication Date: 
Wednesday, May 4, 2016

Multiple SQL injections have been identified in AJAX helpers supporting backend forms. An exploit has been demonstrated. Executing an exploit requires a user account with some kind of CiviCRM permission (such as "access CiviCRM" or "view my contact").


Any ONE of the following should provide protection:

  • Upgrade to v4.7.7+ or v4.6.16+
  • Restrict user permissions (such as "access CiviCRM" or "view my contact") to trusted individuals
  • Backport PRs #8106, #8205, #8216, #8275
  • Simon Waters (Surevine)
  • Mattias Michaux
  • Seamus Lee (Australian Greens)
  • Dave Jenkins (Circle Interactive)
  • Chris Burgess and Eileen McNaughton (Fuzion)
  • Tim Otten (CiviCRM)