CIVI-SA-2019-16: SQLI in certain checkboxes

Submitted by dev-team on May 15, 2019 - 09:00
Security Risk: 
Critical
Vulnerability: 
SQL Injection
Affected Versions: 

CiviCRM versions 5.13.0 and earlier

Fixed Versions: 

CiviCRM version 5.13.4 and 5.7.6

Publication Date: 
Wednesday, May 15, 2019
Description: 

When generating a query for finding particular checkbox values, the query was not properly being escaped before being passed onto the database.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Jamie McClelland of Progressive Technology Project for reporting and fixing the issue

References: 

security/core#44

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Make your next CiviCRM implementation a Success.
Find an Expert

© 2005 - 2019, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.