Security Risk: 
Moderately Critical
Vulnerability: 
SQL Injection
Affected Versions: 
  • 4.7.13 and earlier
  • 4.6.23 and earlier
Fixed Versions: 
  • 4.7.14
  • 4.6.24
Publication Date: 
Saturday, November 19, 2016
Description: 

When generating an API query, the ORDER BY clause for some entities was not correctly validated and escaped. This may have permitted data disclosure via time-based blind SQL attacks.

This is mitigated by the fact that attacks would require API access to exploit the vulnerability.

Solutions: 
Credits: 

Mattias Michaux for reporting the issue

Seamus Lee for fixing the issue

References: