A SQL injection vulnerability in CiviCRM's API was identified, where an API parameter was identified as being passed directly to SQL.
This is mitigated by the fact that the remote user must have some elevated permissions to exploit the vulnerability. CiviCRM recommends that all sites upgrade to obtain this and other recent fixes.
CiviCRM versions prior to 4.7.11 or 4.6.21
CiviCRM versions 4.7.11 or greater, or 4.6.21 or greater
Ideally,
-
Upgrade to CiviCRM 4.7.11 or greater, or 4.6.21 or greater
If you are unable to upgrade to one of these releases, then you may wish to patch your install. Relevant patches are:
-
https://github.com/civicrm/civicrm-core/pull/8693
-
https://github.com/civicrm/civicrm-core/pull/8901
-
https://github.com/civicrm/civicrm-core/pull/8859 (4.7 only)
-
https://github.com/civicrm/civicrm-core/pull/8862 (4.6 only)
- Seamus Lee and Frank J. Gómez for providing a fix
- Frank J. Gómez for identifying and disclosing the issue to CiviCRM
- https://issues.civicrm.org/jira/browse/CRM-19068 (restricted access)
