The "Quick Search" bar in CiviCRM v4.3 includes a backend for processing search requests which is split in two layers. Both layers may be accessed remotely by backend users with permission "access CiviCRM." A malicious user may bypass one layer (which performs SQL validation/escaping) and call the second layer directly (thus bypassing SQL validation/escaping).
Note: The scope of the SQL injection is limited compared to a typical SQL injection because CiviCRM's SQL API does not accept SQL queries with multiple statements. Consequently: