CIVI-SA-2019-04: SQLI in Group / Tag Filters

Közzétéve
2019-02-20 09:00
Written by

When conducting a "Contact" search, the groups and tags parameters were vulerable to SQL injection.

Security Risk
Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM versions 5.10.2 and earlier

Fixed Versions

CiviCRM Version 5.10.3 and 5.7.4

Solutions

Upgrade to the latest CiviCRM Version

Credits

Patrick Figel of Greenpeace for reporting and fixing the issue

References

security/core#28