CIVI-SA-2023-10: Multiple Potential SQLI

2023-09-06 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

A problematic code pattern was found in ~8 places. Any of these places could be vulnerable a SQL injection (SQLI) attack. However, it is believed that most or all have mitigating factors that prevent exploits.

Security Risk
Moderately Critical
SQL Injection
Affected Versions

CiviCRM version 5.64.3 and earlier

Fixed Versions

CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)

Publication Date

Upgrade to the fixed version of CiviCRM


Rich Lott of Artful Robot.
Seamus Lee of JMA Consulting/CiviCRM.
Tim Otten of CiviCRM.
Coleman Watts of CiviCRM.