CIVI-SA-2023-09: GetFields SQLI

Publié
2023-09-06 12:00
Written by

Users with access APIv3 or APIv4 via any medium (including web-browser) may be able to execute an SQL injection (SQL) attack.

Security Risk
Critical
Vulnerability
SQL Injection
Affected Versions

CiviCRM version 5.64.3 and earlier

Fixed Versions

CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)

Publication Date
Solutions

Upgrade to the fixed version of CiviCRM

Credits

Coleman Watts of CiviCRM.
Seamus Lee of JMA Consulting/CiviCRM.
Rich Lott of Artful Robot.
Tim Otten of CiviCRM

References

security/core#124