Security Risk: 
Moderately Critical
SQL Injection
Affected Versions: 


Only the Drupal implementation of the following versions are affected:

  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions: 
  • 4.7.21
  • 4.6.29
Publication Date: 
Wednesday, July 5, 2017

Drupal Views allows an administrator to produce a screen with data from CiviCRM's custom-fields. Certain custom-fields could potentially be manipulated to inject SQL.


Upgrade to the latest version of CiviCRM

If you cannot upgrade then you should apply the following patch



John Kingsnorth of Cambridge University for reporting the issue

Dave Jenkins of Circle Interactive for fixing the issue