Sites which use the Drupal 6 "devel" module with CiviCRM to log SQL queries may be vulnerable to a SQL injection. However, it is not clear if this vulnerability is exploitable.
CiviCRM versions 4.6.20, 4.7.10 or previous
CiviCRM versions 4.6.21 and 4.7.21
To fix this users should do one of the following
- Upgrade to CiviCRM 4.6.21 or 4.7.11
- Disable the "devel" module
- Disable the "devel" module's SQL logging
- Apply the patch as per https://github.com/civicrm/civicrm-packages/pull/154/files
Chris Burgess (Fuzion NZ) for reporting the issue.
Seamus Lee (Australian Greens) for fixing the issue.
- https://issues.civicrm.org/jira/browse/CRM-18773 (Restricted Access)