CIVI-SA-2019-02: SQLI in "PrevNext" Cache

Publicat
2019-02-20 09:00
Written by

When populating the "PrevNext" cache, some values were not properly escaped - which enabled a SQL-injection (SQLI) vulnerability.

Security Risk
Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM Versions 5.10.2 and earlier

Fixed Versions

CiviCRM versions 5.10.3 and 5.7.4

Solutions

Upgrade to the latest version of CiviCRM

Credits

Tim Otten of CiviCRM for reporting the issue

Seamus Lee of Australian Greens and Tim Otten of CiviCRM for fixing the issue

References

security/core#25