CIVI-SA-2018-01: SQL injection in get-cases AJAX API

Közzétéve
2018-07-18 09:00
Written by

When retrieving cases via AJAX, some parameters were not properly validated. This allowed for SQL injection.

Security Risk
Moderately Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

 

Fixed Versions

CiviCRM version 5.3.1 and 4.6.38 (and later)

 

Solutions

Upgrade to the latest version of CiviCRM

Credits

Patrick Figel of Greenpeace for reporting the issue.

Coleman Watts of CiviCRM Core Team for fixing the issue. 

References

security/core#12