Security Risk: 
Less Critical
Vulnerability: 
SQL Injection
Affected Versions: 
  • 4.7.13 and earlier
  • 4.6.23 and earlier
Fixed Versions: 
  • 4.7.14
  • 4.6.24
Publication Date: 
Saturday, November 19, 2016
Description: 

It was identified that inputs were not correctly validated when viewing an activity related to a case, due to custom group title not being properly escaped for SQL generation.

This is mitigated by the fact that an attacker would need to have the "administer CiviCRM" permission, and that the issue only affects sites with CiviCase enabled.

Solutions: 
Credits: 

Mathieu Lutfy for reporting and providing the fix.

References: