Coleman Watts

**Name of the Vulnerable Software and Affected Versions** CiviCRM versions 4.2.0 through 4.2.9 CiviCRM versions 4.3.0 through 4.3.3 **Description** The issue allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the Quick Search API, related to contact.getquick. **Recommendations** For CiviCRM versions 4.2.0 through 4.2.9, update to a version outside of this range to mitigate the risk. For CiviCRM versions 4.3.0 through 4.3.3, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Quick Search API until a patch is available.