CVE-2013-5957

Name of the Vulnerable Software and Affected Versions CiviCRM versions prior to 4.2.12 CiviCRM versions 4.3.x prior to 4.3.7 CiviCRM versions 4.4.x prior to 4.4.beta4

Description The issue allows remote attackers to execute arbitrary SQL commands via the value parameter to (1) "ajax/jqState" or (2) "ajax/jqcounty" API endpoints. This is a result of multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php.

Recommendations For versions prior to 4.2.12, update to version 4.2.12 or later. For versions 4.3.x prior to 4.3.7, update to version 4.3.7 or later. For versions 4.4.x prior to 4.4.beta4, update to version 4.4.beta4 or later. As a temporary workaround, consider restricting access to the "ajax/jqState" and "ajax/jqcounty" API endpoints until a patch is applied. Avoid using the value parameter in the affected API endpoints until the issue is resolved.