CIVI-SA-2016-07: SQL Injections in AJAX callbacks

Published

2016-05-03 14:16

Written by

Multiple SQL injections have been identified in AJAX helpers supporting backend forms. An exploit has been demonstrated. Executing an exploit requires a user account with some kind of CiviCRM permission (such as "access CiviCRM" or "view my contact").

Security Risk

Moderately Critical

Vulnerability

SQL Injection

Affected Versions

Up to v4.7.6 and v4.6.15.

Fixed Versions

v4.7.7+ and v4.6.16+

Solutions

Any ONE of the following should provide protection:

Upgrade to v4.7.7+ or v4.6.16+
Restrict user permissions (such as "access CiviCRM" or "view my contact") to trusted individuals
Backport PRs #8106, #8205, #8216, #8275

Credits

Simon Waters (Surevine)
Mattias Michaux
Seamus Lee (Australian Greens)
Dave Jenkins (Circle Interactive)
Chris Burgess and Eileen McNaughton (Fuzion)
Tim Otten (CiviCRM)

References

http://seclists.org/fulldisclosure/2016/Apr/38

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2016-07: SQL Injections in AJAX callbacks

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2016-07: SQL Injections in AJAX callbacks

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM