CIVI-SA-2020-06: SQLI in Query Builder

Publicat
2020-04-15 12:00
Written by

When constructing contact search queries, values for certain fields were not properly escaped -- allowing for SQL injection.

Security Risk
Moderately Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM version 5.24.2 and earlier

Fixed Versions

CiviCRM version 5.24.3 and 5.21.3

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Seamus Lee (JMA Consulting/CiviCRM) and Patrick Figel (Greenpeace CEE) for fixing the issue

References

CIV-01-020