CIVI-SA-2019-14: SQLI in APIv3 getOptions

Veröffentlicht
2019-05-15 09:00
Written by

In CiviCRM APIv3, a generic action ("getOptions") inappropriately propagated an advanced option ("condition") to a lower level function, which effectively allowed a caller to include arbitary SQL conditions. The "getOptions" API will now ignore the "condition" option.

Security Risk
Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM versions 5.13.0 and earlier

Fixed Versions

CiviCRM version 5.13.4 and 5.7.6

Solutions

Upgrade to the latest version of CiviCRM

Credits

Coleman Watts of CiviCRM Core Team for reporting the isssue and fixing the issue.

References

security/core!56