CIVI-SA-2017-06: Incorrect escaping in Drupal Views integration

Published

2017-07-05 23:00

Written by

seamuslee

Drupal Views allows an administrator to produce a screen with data from CiviCRM's custom-fields. Certain custom-fields could potentially be manipulated to inject SQL.

Security Risk

Moderately Critical

Vulnerability

SQL Injection

Affected Versions

Only the Drupal implementation of the following versions are affected:

4.7.20 and earlier
4.6.28 and earlier

Fixed Versions

4.7.21
4.6.29

Solutions

Upgrade to the latest version of CiviCRM

If you cannot upgrade then you should apply the following patch

Drupal 7 https://github.com/civicrm/civicrm-drupal/pull/448
Drupal 6 https://github.com/civicrm/civicrm-drupal/pull/449

Credits

John Kingsnorth of Cambridge University for reporting the issue

Dave Jenkins of Circle Interactive for fixing the issue

References

https://issues.civicrm.org/jira/browse/CRM-20215

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2017-06: Incorrect escaping in Drupal Views integration

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2017-06: Incorrect escaping in Drupal Views integration

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM