CIVI-SA-2017-06: Incorrect escaping in Drupal Views integration

2017-07-05 23:00
Written by

Drupal Views allows an administrator to produce a screen with data from CiviCRM's custom-fields. Certain custom-fields could potentially be manipulated to inject SQL.

Security Risk
Moderately Critical
SQL Injection
Affected Versions


Only the Drupal implementation of the following versions are affected:

  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions
  • 4.7.21
  • 4.6.29

Upgrade to the latest version of CiviCRM

If you cannot upgrade then you should apply the following patch



John Kingsnorth of Cambridge University for reporting the issue

Dave Jenkins of Circle Interactive for fixing the issue