Security Risk: 
Less Critical
Vulnerability: 
SQL Injection
Affected Versions: 

CiviCRM Versions prior to 4.7.26 and 4.6.33

Fixed Versions: 

CIviCRM Versions 4.7.26 and 4.6.33

Publication Date: 
Wednesday, November 1, 2017
Description: 

Previously there was no validation of the passed in grp url parameter which was passed in to the grouping part of an SQL which allowed for SQL injection possibility. The SQL to list the reports has now been re-written to properly validate all variables that are used in the SQL. 

Solutions: 

Upgrade to the latest version of CiviCRM

  • 4.7.26
  • 4.6.33

or later

If you cannot upgrade you should apply the following patch:

Credits: 

Sean Madsen of Left Join Labs for reporting and fixing the issue.

References: