Civicrm · Civicrm · CVE-2013-5957
**Name of the Vulnerable Software and Affected Versions**
CiviCRM versions prior to 4.2.12
CiviCRM versions 4.3.x prior to 4.3.7
CiviCRM versions 4.4.x prior to 4.4.beta4
**Description**
The issue allows remote attackers to execute arbitrary SQL commands via the ` value` parameter to (1) "ajax/jqState" or (2) "ajax/jqcounty" API endpoints. This is a result of multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php.
**Recommendations**
For versions prior to 4.2.12, update to version 4.2.12 or later.
For versions 4.3.x prior to 4.3.7, update to version 4.3.7 or later.
For versions 4.4.x prior to 4.4.beta4, update to version 4.4.beta4 or later.
As a temporary workaround, consider restricting access to the "ajax/jqState" and "ajax/jqcounty" API endpoints until a patch is applied.
Avoid using the ` value` parameter in the affected API endpoints until the issue is resolved.