CIVI-SA-2016-12: SQL injection in API

Publicado
2016-08-23 15:19
Written by

A SQL injection vulnerability in CiviCRM's API was identified, where an API parameter was identified as being passed directly to SQL.

This is mitigated by the fact that the remote user must have some elevated permissions to exploit the vulnerability. CiviCRM recommends that all sites upgrade to obtain this and other recent fixes.

Security Risk
Moderately Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM versions prior to 4.7.11 or 4.6.21

Fixed Versions

CiviCRM versions 4.7.11 or greater, or 4.6.21 or greater

Solutions

Ideally, 

  • Upgrade to CiviCRM 4.7.11 or greater, or 4.6.21 or greater

If you are unable to upgrade to one of these releases, then you may wish to patch your install. Relevant patches are:

  • https://github.com/civicrm/civicrm-core/pull/8693

  • https://github.com/civicrm/civicrm-core/pull/8901

  • https://github.com/civicrm/civicrm-core/pull/8859 (4.7 only)

  • https://github.com/civicrm/civicrm-core/pull/8862 (4.6 only)

Credits
  • Seamus Lee and Frank J. Gómez for providing a fix
  • Frank J. Gómez for identifying and disclosing the issue to CiviCRM
References
  • https://issues.civicrm.org/jira/browse/CRM-19068 (restricted access)
CVE
CIVI-SA-2016-12