Security Risk: 
Moderately Critical
Vulnerability: 
SQL Injection
Affected Versions: 

CiviCRM versions prior to 4.7.11 or 4.6.21

Fixed Versions: 

CiviCRM versions 4.7.11 or greater, or 4.6.21 or greater

Publication Date: 
Wednesday, September 7, 2016
Description: 

A SQL injection vulnerability in CiviCRM's API was identified, where an API parameter was identified as being passed directly to SQL.

This is mitigated by the fact that the remote user must have some elevated permissions to exploit the vulnerability. CiviCRM recommends that all sites upgrade to obtain this and other recent fixes.

Solutions: 

Ideally, 

  • Upgrade to CiviCRM 4.7.11 or greater, or 4.6.21 or greater

If you are unable to upgrade to one of these releases, then you may wish to patch your install. Relevant patches are:

Credits: 
  • Seamus Lee and Frank J. Gómez for providing a fix
  • Frank J. Gómez for identifying and disclosing the issue to CiviCRM
References: 
CVE: 
CIVI-SA-2016-12