CVE-2013-4662 – civicrm/civicrm-core

Package

Manager: composer
Name: civicrm/civicrm-core
Vulnerable Version: >=4.2.0 <4.2.9 || >=4.3.0 <4.3.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00132 pctl0.33591

Details

CiviCRM SQL injection vulnerability via Quick Search API The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.

Metadata

Created: 2022-05-17T04:52:06Z
Modified: 2023-08-29T18:45:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4465-r2hg-v4rj/GHSA-4465-r2hg-v4rj.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-4465-r2hg-v4rj
Finding: F297
Auto approve: 1