CiviCRM versions 4.6.20, 4.7.10 or previous
CiviCRM versions 4.6.21 and 4.7.21
Sites which use the Drupal 6 "devel" module with CiviCRM to log SQL queries may be vulnerable to a SQL injection. However, it is not clear if this vulnerability is exploitable.
To fix this users should do one of the following
- Upgrade to CiviCRM 4.6.21 or 4.7.11
- Disable the "devel" module
- Disable the "devel" module's SQL logging
- Apply the patch as per https://github.com/civicrm/civicrm-packages/pull/154/files
Chris Burgess (Fuzion NZ) for reporting the issue.
Seamus Lee (Australian Greens) for fixing the issue.
- https://issues.civicrm.org/jira/browse/CRM-18773 (Restricted Access)