CIVI-SA-2019-16: SQLI in certain checkboxes

Published
2019-05-15 09:00
Written by

When generating a query for finding particular checkbox values, the query was not properly being escaped before being passed onto the database.

Security Risk
Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM versions 5.13.0 and earlier

Fixed Versions

CiviCRM version 5.13.4 and 5.7.6

Solutions

Upgrade to the latest version of CiviCRM

Credits

Jamie McClelland of Progressive Technology Project for reporting and fixing the issue

References

security/core#44