Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2013-4662

The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.

Published

2014-01-29T18:55:26.637

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-89

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	civicrm	civicrm	4.2.0	Yes
Application	civicrm	civicrm	4.2.1	Yes
Application	civicrm	civicrm	4.2.2	Yes
Application	civicrm	civicrm	4.2.4	Yes
Application	civicrm	civicrm	4.2.5	Yes
Application	civicrm	civicrm	4.2.6	Yes
Application	civicrm	civicrm	4.2.7	Yes
Application	civicrm	civicrm	4.2.8	Yes
Application	civicrm	civicrm	4.2.9	Yes
Application	civicrm	civicrm	4.3.0	Yes
Application	civicrm	civicrm	4.3.1	Yes
Application	civicrm	civicrm	4.3.2	Yes
Application	civicrm	civicrm	4.3.3	Yes

References

http://issues.civicrm.org/jira/browse/CRM-12765 Vendor Advisory ([email protected])
https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api Vendor Advisory ([email protected])
http://issues.civicrm.org/jira/browse/CRM-12765 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)