Publié
2020-04-15 12:00
When constructing the SQL queries for deleting activities or getting summary information about CiviCampaigns, there was inadequate escaping of SQL variables that were passed in from request parameters.
Security Risk
Critical
Vulnerability
SQL Injection
Affected Versions
CiviCRM version 5.24.2 and earlier
Fixed Versions
CiviCRM version 5.24.3 and 5.21.3
Publication Date
Solutions
Upgrade to the latest version of CiviCRM
Credits
Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Seamus Lee (JMA Consulting/CiviCRM) and Patrick Figel (Greenpeace CEE) for resolving the issue
References
CIV-01-014
