CVE-2013-4662: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

May 17, 2022 (updated August 29, 2023)

The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the “second layer” of the API, related to contact.getquick.

References

civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api
github.com/advisories/GHSA-4465-r2hg-v4rj
issues.civicrm.org/jira/browse/CRM-12765
nvd.nist.gov/vuln/detail/CVE-2013-4662

Detect and mitigate CVE-2013-4662 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →