CIVI-SA-2016-21 Incorrect Escaping of custom group name in CiviCase

Published
2016-11-18 21:46
Written by

It was identified that inputs were not correctly validated when viewing an activity related to a case, due to custom group title not being properly escaped for SQL generation.

This is mitigated by the fact that an attacker would need to have the "administer CiviCRM" permission, and that the issue only affects sites with CiviCase enabled.

Security Risk
Less Critical
Vulnerability
SQL Injection
Affected Versions
  • 4.7.13 and earlier
  • 4.6.23 and earlier
Fixed Versions
  • 4.7.14
  • 4.6.24
Solutions
  • Upgrade to latest CiviCRM version
  • If you cannot upgrade, apply the following patches.

    • https://github.com/civicrm/civicrm-core/pull/9395
    • https://github.com/civicrm/civicrm-core/pull/9433
Credits

Mathieu Lutfy for reporting and providing the fix.

References