CIVI-SA-2016-21 Incorrect Escaping of custom group name in CiviCase

2016-11-18 21:46
Written by
seamuslee - member of the CiviCRM community - view blog guidelines

It was identified that inputs were not correctly validated when viewing an activity related to a case, due to custom group title not being properly escaped for SQL generation.

This is mitigated by the fact that an attacker would need to have the "administer CiviCRM" permission, and that the issue only affects sites with CiviCase enabled.

Security Risk
Less Critical
SQL Injection
Affected Versions
  • 4.7.13 and earlier
  • 4.6.23 and earlier
Fixed Versions
  • 4.7.14
  • 4.6.24
  • Upgrade to latest CiviCRM version
  • If you cannot upgrade, apply the following patches.


Mathieu Lutfy for reporting and providing the fix.