CIVI-SA-2016-18: Potential SQL injection in developer mode

Published
2016-08-31 23:42
Written by

Sites which use the Drupal 6 "devel" module with CiviCRM to log SQL queries may be vulnerable to a SQL injection. However, it is not clear if this vulnerability is exploitable.

Security Risk
Less Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM versions 4.6.20, 4.7.10 or previous

Fixed Versions

CiviCRM versions 4.6.21 and 4.7.21

Solutions

To fix this users should do one of the following

Credits

Chris Burgess (Fuzion NZ) for reporting the issue.

Seamus Lee (Australian Greens) for fixing the issue.

References