CIVI-SA-2015-009: Incorrect escaping of user input

Publicado
2015-09-27 19:26
Written by

There was a bug in one of CiviCRM's internal type checks which may allow inappropriate user input to be saved to the database and/or displayed.

This was a general weakness in one of CiviCRM's security layers; no specific exploits of this have been identified. This type of vulnerability could potentially allow attackers to save malicious content to the database or display it to site users.

Security Risk
Critical
Vulnerability
Cross Site Scripting
SQL Injection
Affected Versions

4.5 - 4.6.8

Fixed Versions

4.6.9

Solutions

If you are using CiviCRM 4.5+, upgrade to the latest version.

Note that this bug did not affect the 4.4 LTS series.

Credits

Coleman Watts of the CiviCRM core team

References

https://issues.civicrm.org/jira/browse/CRM-17291