Gepubliceerd
2019-05-15 09:00
When preparing the query for finding events for the Manage Events page, the event type parameter was not properly escaped.
Security Risk
Critical
Vulnerability
SQL Injection
Affected Versions
CiviCRM versions 5.13.0 and earlier
Fixed Versions
CiviCRM version 5.13.4 and 5.7.6
Solutions
Upgrade to latest CiviCRM
Credits
Allen Shaw of Joinery for reporting the issue
Seamus Lee of Australian Greens for fixing the issue
References
security/core#51