Publié
2016-05-03 14:16
Multiple SQL injections have been identified in AJAX helpers supporting backend forms. An exploit has been demonstrated. Executing an exploit requires a user account with some kind of CiviCRM permission (such as "access CiviCRM" or "view my contact").
Security Risk
Moderately Critical
Vulnerability
SQL Injection
Affected Versions
Up to v4.7.6 and v4.6.15.
Fixed Versions
v4.7.7+ and v4.6.16+
Solutions
Any ONE of the following should provide protection:
- Upgrade to v4.7.7+ or v4.6.16+
- Restrict user permissions (such as "access CiviCRM" or "view my contact") to trusted individuals
- Backport PRs #8106, #8205, #8216, #8275
Credits
- Simon Waters (Surevine)
- Mattias Michaux
- Seamus Lee (Australian Greens)
- Dave Jenkins (Circle Interactive)
- Chris Burgess and Eileen McNaughton (Fuzion)
- Tim Otten (CiviCRM)
