GHSA-4465-r2hg-v4rj

Source

https://github.com/advisories/GHSA-4465-r2hg-v4rj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4465-r2hg-v4rj/GHSA-4465-r2hg-v4rj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4465-r2hg-v4rj

Aliases

CVE-2013-4662

Published

2022-05-17T04:52:06Z

Modified

2023-11-08T03:57:24.206289Z

Summary

CiviCRM SQL injection vulnerability via Quick Search API

Details

The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.

Database specific

{
    "cwe_ids": [
        "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-29T18:45:53Z",
    "nvd_published_at": "2014-01-29T18:55:00Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / civicrm/civicrm-core

Package

Name: civicrm/civicrm-core
Purl: pkg:composer/civicrm/civicrm-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

4.2.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4465-r2hg-v4rj/GHSA-4465-r2hg-v4rj.json"

Packagist / civicrm/civicrm-core

Package

Name: civicrm/civicrm-core
Purl: pkg:composer/civicrm/civicrm-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.3.0

Fixed

4.3.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4465-r2hg-v4rj/GHSA-4465-r2hg-v4rj.json"