CIVI-SA-2018-04: SQL injection in Custom Groups

Publicat
2018-07-18 09:00
Written by

When generating a list of the custom groups that utilize a particular sub-type, the sub-type was not properly escaped.

Security Risk
Moderately Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

 

Fixed Versions

CiviCRM version 5.3.1 and 4.6.38 (and later)

 

Solutions

Upgrade to the latest version of CiviCRM

Credits

Patrick Figel of Greenpeace for reporting the issue.

Seamus Lee of Australian greens for fixing the issue.

References

security/core#13