Publié
2013-11-04 16:54
The CiviCRM API provides programmatic access to CiviCRM. Multiple APIs were vulnerable to SQL injection attacks.
The potential to exploit these vulnerabilities is limited by multiple factors:
- An attacker must have either valid credentials or an ability to post malicious content on the target's domain.
- An attacker must have an advanced permission -- "access CiviCRM" or "access AJAX API" -- in conjunction with access to specific APIs.
- CiviCRM's mechanism for constructing SQL queries makes it difficult to construct a valid, meaningful exploit. (A meaningful exploit has not yet been identified, but this does not mean that an exploit is impossible.)
Security Risk
Moderately Critical
Vulnerability
SQL Injection
Affected Versions
All previous versions.
Fixed Versions
- 4.2.13
- 4.3.8
- 4.4.1
Solutions
Upgrade to one of the fixed versions.
Credits
Eileen McNaughton, Donald Lobo, Nicolas Ganivet, Coleman Watts
