CIVI-SA-2019-19: SQLI in "dedupefind"

Publicat
2019-11-20 09:00
Written by

The "dedupefind" endpoint facilitates de-duplication of contacts. The endpoint had a SQL injection vulnerability.

 

Security Risk
Critical
Vulnerability
SQL Injection
Affected Versions
  • CiviCRM before 5.19.2 and before 5.13.7
Fixed Versions
  • CiviCRM 5.19.2 and 5.13.7
Solutions

Upgrade to the latest version of CiviCRM

Credits

Patrick Figel of Greenpeace CEE for reporting and fixing the issue

References

security/core#59