CVE-2013-4662 — SQL Injection in Civicrm-core

CWE-89 — SQL Injection4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 67.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Civicrm Civicrm-core Civicrm Debian Civicrm

Timeline

PublishedJan 29

Latest updateMay 17

Description

The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages3 packages

▶Packagistcivicrm/civicrm-core4.2.0 — 4.2.9+1

▶debiandebian/civicrm

▶NVDcivicrm/civicrm13 versions+12

🔴Vulnerability Details

GHSA

CiviCRM SQL injection vulnerability via Quick Search API↗2022-05-17

▶

OSV

CiviCRM SQL injection vulnerability via Quick Search API↗2022-05-17

▶

📋Vendor Advisories

Debian

CVE-2013-4662: civicrm - The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allo...↗2013

▶