CIVI-SA-2016-19 Order By clause in API not properly being validated

2016-11-18 21:50
Written by
seamuslee - member of the CiviCRM community - view blog guidelines

When generating an API query, the ORDER BY clause for some entities was not correctly validated and escaped. This may have permitted data disclosure via time-based blind SQL attacks.

This is mitigated by the fact that attacks would require API access to exploit the vulnerability.

Security Risk
Moderately Critical
SQL Injection
Affected Versions
  • 4.7.13 and earlier
  • 4.6.23 and earlier
Fixed Versions
  • 4.7.14
  • 4.6.24
  • Upgrade to the latest CiviCRM version
  • Apply the following patch if you cannot upgrade:

Mattias Michaux for reporting the issue

Seamus Lee for fixing the issue