Lucene search
GitHub Advisory DatabaseGHSA-4465-R2HG-V4RJHistoryMay 17, 2022 - 4:52 a.m.
CiviCRM SQL injection vulnerability via Quick Search API
2022-05-1704:52:06
CWE-89
GitHub Advisory Database
github.com
1
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
46.5%
The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the “second layer” of the API, related to contact.getquick.
Affected configurations
Node
civicrmcivicrmRange<4.3.3
ORcivicrmcivicrmRange<4.2.9
| CPE | Name | Operator | Version |
|---|---|---|---|
| civicrm/civicrm-core | lt | 4.3.3 | |
| civicrm/civicrm-core | lt | 4.2.9 |
Related
cve
cve
CVE-2013-4662
2014-01-29 18:55:26
cvelist
cvelist
CVE-2013-4662
2014-01-29 18:00:00
nvd
nvd
CVE-2013-4662
2014-01-29 18:55:26
osv
osv
CiviCRM SQL injection vulnerability via Quick Search API
2022-05-17 04:52:06
prion
prion
Sql injection
2014-01-29 18:55:00
debiancve
debiancve
CVE-2013-4662
2014-01-29 18:55:26
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
46.5%
Related for GHSA-4465-R2HG-V4RJ