CIVI-SA-2017-06: Incorrect escaping in Drupal Views integration

Published
2017-07-05 23:00
Written by

Drupal Views allows an administrator to produce a screen with data from CiviCRM's custom-fields. Certain custom-fields could potentially be manipulated to inject SQL.

Security Risk
Moderately Critical
Vulnerability
SQL Injection
Affected Versions

 

Only the Drupal implementation of the following versions are affected:

  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions
  • 4.7.21
  • 4.6.29
Solutions

Upgrade to the latest version of CiviCRM

If you cannot upgrade then you should apply the following patch

 

Credits

John Kingsnorth of Cambridge University for reporting the issue

Dave Jenkins of Circle Interactive for fixing the issue