CIVI-SA-2017-16 SQL Injection risk in CiviReports Listing

2017-11-01 09:00
Written by

Previously there was no validation of the passed in grp url parameter which was passed in to the grouping part of an SQL which allowed for SQL injection possibility. The SQL to list the reports has now been re-written to properly validate all variables that are used in the SQL. 

Security Risk
Less Critical
SQL Injection
Affected Versions

CiviCRM Versions prior to 4.7.26 and 4.6.33

Fixed Versions

CIviCRM Versions 4.7.26 and 4.6.33


Upgrade to the latest version of CiviCRM

  • 4.7.26
  • 4.6.33

or later

If you cannot upgrade you should apply the following patch:


Sean Madsen of Left Join Labs for reporting and fixing the issue.