CIVI-SA-2020-05: SQL Injection in Campaign Summary and Delete Activity

Gepubliceerd
2020-04-15 12:00
Written by

When constructing the SQL queries for deleting activities or getting summary information about CiviCampaigns, there was inadequate escaping of SQL variables that were passed in from request parameters.

Security Risk
Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM version 5.24.2 and earlier

Fixed Versions

CiviCRM version 5.24.3 and 5.21.3

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Seamus Lee (JMA Consulting/CiviCRM) and Patrick Figel (Greenpeace CEE) for resolving the issue

References

CIV-01-014