Pubblicato
2016-11-18 21:50
When generating an API query, the ORDER BY clause for some entities was not correctly validated and escaped. This may have permitted data disclosure via time-based blind SQL attacks.
This is mitigated by the fact that attacks would require API access to exploit the vulnerability.
Security Risk
Moderately Critical
Vulnerability
SQL Injection
Affected Versions
- 4.7.13 and earlier
- 4.6.23 and earlier
Fixed Versions
- 4.7.14
- 4.6.24
Solutions
- Upgrade to the latest CiviCRM version
- Apply the following patch if you cannot upgrade: https://github.com/civicrm/civicrm-core/pull/9343
Credits
Mattias Michaux for reporting the issue
Seamus Lee for fixing the issue
References