Up to v4.7.6 and v4.6.15.
v4.7.7+ and v4.6.16+
Multiple SQL injections have been identified in AJAX helpers supporting backend forms. An exploit has been demonstrated. Executing an exploit requires a user account with some kind of CiviCRM permission (such as "access CiviCRM" or "view my contact").
Any ONE of the following should provide protection:
- Upgrade to v4.7.7+ or v4.6.16+
- Restrict user permissions (such as "access CiviCRM" or "view my contact") to trusted individuals
- Backport PRs #8106, #8205, #8216, #8275
- Simon Waters (Surevine)
- Mattias Michaux
- Seamus Lee (Australian Greens)
- Dave Jenkins (Circle Interactive)
- Chris Burgess and Eileen McNaughton (Fuzion)
- Tim Otten (CiviCRM)