GHSA-4465-r2hg-v4rj

Suggest an improvement
Source
https://github.com/advisories/GHSA-4465-r2hg-v4rj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4465-r2hg-v4rj/GHSA-4465-r2hg-v4rj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4465-r2hg-v4rj
Aliases
  • CVE-2013-4662
Published
2022-05-17T04:52:06Z
Modified
2023-11-08T03:57:24.206289Z
Summary
CiviCRM SQL injection vulnerability via Quick Search API
Details

The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.

References

Affected packages

Packagist / civicrm/civicrm-core

Package

Name
civicrm/civicrm-core
Purl
pkg:composer/civicrm/civicrm-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.2.9

Packagist / civicrm/civicrm-core

Package

Name
civicrm/civicrm-core
Purl
pkg:composer/civicrm/civicrm-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.3.0
Fixed
4.3.3