CIVI-SA-2016-21 Incorrect Escaping of custom group name in CiviCase

Veröffentlicht

2016-11-18 21:46

Written by

seamuslee

It was identified that inputs were not correctly validated when viewing an activity related to a case, due to custom group title not being properly escaped for SQL generation.

This is mitigated by the fact that an attacker would need to have the "administer CiviCRM" permission, and that the issue only affects sites with CiviCase enabled.

Security Risk

Less Critical

Vulnerability

SQL Injection

Affected Versions

4.7.13 and earlier
4.6.23 and earlier

Fixed Versions

4.7.14
4.6.24

Solutions

Upgrade to latest CiviCRM version
If you cannot upgrade, apply the following patches.
- https://github.com/civicrm/civicrm-core/pull/9395
- https://github.com/civicrm/civicrm-core/pull/9433

Credits

Mathieu Lutfy for reporting and providing the fix.

References

Issue CRM-19641

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2016-21 Incorrect Escaping of custom group name in CiviCase

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2016-21 Incorrect Escaping of custom group name in CiviCase

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM