The CiviCRM API provides programmatic access to CiviCRM. Multiple APIs were vulnerable to SQL injection attacks.
The potential to exploit these vulnerabilities is limited by multiple factors:
- An attacker must have either valid credentials or an ability to post malicious content on the target's domain.
- An attacker must have an advanced permission -- "access CiviCRM" or "access AJAX API" -- in conjunction with access to specific APIs.
- CiviCRM's mechanism for constructing SQL queries makes it difficult to construct a valid, meaningful exploit. (A meaningful exploit has not yet been identified, but this does not mean that an exploit is impossible.)
All previous versions.
- 4.2.13
- 4.3.8
- 4.4.1
Upgrade to one of the fixed versions.
Eileen McNaughton, Donald Lobo, Nicolas Ganivet, Coleman Watts