Security Risk: 
Moderately Critical
Vulnerability: 
SQL Injection
Affected Versions: 

 

Only the Drupal implementation of the following versions are affected:

  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions: 
  • 4.7.21
  • 4.6.29
Publication Date: 
Wednesday, July 5, 2017
Description: 

Drupal Views allows an administrator to produce a screen with data from CiviCRM's custom-fields. Certain custom-fields could potentially be manipulated to inject SQL.

Solutions: 

Upgrade to the latest version of CiviCRM

If you cannot upgrade then you should apply the following patch

 

Credits: 

John Kingsnorth of Cambridge University for reporting the issue

Dave Jenkins of Circle Interactive for fixing the issue