CIVI-SA-2016-07: SQL Injections in AJAX callbacks

2016-05-03 14:16
Written by

Multiple SQL injections have been identified in AJAX helpers supporting backend forms. An exploit has been demonstrated. Executing an exploit requires a user account with some kind of CiviCRM permission (such as "access CiviCRM" or "view my contact").

Security Risk
Moderately Critical
SQL Injection
Affected Versions

Up to v4.7.6 and v4.6.15.

Fixed Versions

v4.7.7+ and v4.6.16+


Any ONE of the following should provide protection:

  • Upgrade to v4.7.7+ or v4.6.16+
  • Restrict user permissions (such as "access CiviCRM" or "view my contact") to trusted individuals
  • Backport PRs #8106, #8205, #8216, #8275
  • Simon Waters (Surevine)
  • Mattias Michaux
  • Seamus Lee (Australian Greens)
  • Dave Jenkins (Circle Interactive)
  • Chris Burgess and Eileen McNaughton (Fuzion)
  • Tim Otten (CiviCRM)