Published
2019-05-15 09:00
In CiviCRM APIv3, a generic action ("getOptions") inappropriately propagated an advanced option ("condition") to a lower level function, which effectively allowed a caller to include arbitary SQL conditions. The "getOptions" API will now ignore the "condition" option.
Security Risk
Critical
Vulnerability
SQL Injection
Affected Versions
CiviCRM versions 5.13.0 and earlier
Fixed Versions
CiviCRM version 5.13.4 and 5.7.6
Solutions
Upgrade to the latest version of CiviCRM
Credits
Coleman Watts of CiviCRM Core Team for reporting the isssue and fixing the issue.
References
security/core!56
