CIVI-SA-2020-06: SQLI in Query Builder

Published

2020-04-15 12:00

Written by

dev-team

When constructing contact search queries, values for certain fields were not properly escaped -- allowing for SQL injection.

Security Risk

Moderately Critical

Vulnerability

SQL Injection

Affected Versions

CiviCRM version 5.24.2 and earlier

Fixed Versions

CiviCRM version 5.24.3 and 5.21.3

Publication Date

2020-04-15 - 12:00

Solutions

Upgrade to the latest version of CiviCRM

Credits

Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Seamus Lee (JMA Consulting/CiviCRM) and Patrick Figel (Greenpeace CEE) for fixing the issue

References

CIV-01-020

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2020-06: SQLI in Query Builder

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2020-06: SQLI in Query Builder

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM