CIVI-SA-2017-16 SQL Injection risk in CiviReports Listing

Publié
2017-11-01 09:00
Written by

Previously there was no validation of the passed in grp url parameter which was passed in to the grouping part of an SQL which allowed for SQL injection possibility. The SQL to list the reports has now been re-written to properly validate all variables that are used in the SQL. 

Security Risk
Less Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM Versions prior to 4.7.26 and 4.6.33

Fixed Versions

CIviCRM Versions 4.7.26 and 4.6.33

Solutions

Upgrade to the latest version of CiviCRM

  • 4.7.26
  • 4.6.33

or later

If you cannot upgrade you should apply the following patch:

Credits

Sean Madsen of Left Join Labs for reporting and fixing the issue.

References