CIVI-SA-2022-02: CiviEvent Importer, SQL Injection

Publicado
2022-03-16 12:00
Written by

When importing "Participant" records for CiviEvent, some inputs were not suitably escaped.

Security Risk
Moderately Critical
Vulnerability
SQL Injection
Affected Versions

All versions less than or equal to: 5.47.1, 5.46.2, 5.45.3

Fixed Versions

CiviCRM version 5.46.3. 5.47.2, 5.45.4 ESR

Publication Date
Solutions

If you are not on the ESR and haven't yet upgraded to 5.47 upgrade to 5.46.3, if you have upgraded to 5.47 then upgrade to 5.47.2

Credits

Mathieu Lutfy of Coop SymbioTIC for reporting the issue and fixing the issue

References

security/core#113