fkie_nvd - fkie_cve-2013-4662

fkie_cve-2013-4662

Vulnerability from fkie_nvd

Published

2014-01-29 18:55

Modified

2024-11-21 01:56

Severity ?

Summary

The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.

References

URL	Tags
cve@mitre.org	http://issues.civicrm.org/jira/browse/CRM-12765	Vendor Advisory
cve@mitre.org	https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://issues.civicrm.org/jira/browse/CRM-12765	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api	Vendor Advisory

Impacted products

Vendor	Product	Version
civicrm	civicrm	4.2.0
civicrm	civicrm	4.2.1
civicrm	civicrm	4.2.2
civicrm	civicrm	4.2.4
civicrm	civicrm	4.2.5
civicrm	civicrm	4.2.6
civicrm	civicrm	4.2.7
civicrm	civicrm	4.2.8
civicrm	civicrm	4.2.9
civicrm	civicrm	4.3.0
civicrm	civicrm	4.3.1
civicrm	civicrm	4.3.2
civicrm	civicrm	4.3.3

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C8CBF12E-640F-4752-8F52-B5B3D4015FC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A22C3AE-2E98-465C-B24C-725BEB99E943",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "21DDDCA1-78A1-4FFB-B180-7D0D20FE4FDA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "8C5B0394-3C38-454F-BF55-82AADCDEBE9A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "4F3D157E-9132-4EA9-A395-6E46C4C3C032",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "33E5813B-160F-48B2-91B2-4599048028A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.2.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC6A767A-D530-479B-9E3B-6FB49FD0B8FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.2.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "8D80D5F9-B4D9-41C9-B157-3FE31B54EDBF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.2.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "1647D812-6174-4613-B57B-8BEF5C3877C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "074C6767-AC29-4A80-8A51-16DD69BFEAA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE6A4EB0-3143-41AF-B4CF-26C736BEF2A4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B8BBCB1-99D0-4634-BAD6-495B9D040A4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:civicrm:civicrm:4.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "ECC01A92-9252-4184-B11A-39D077E761C5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the \"second layer\" of the API, related to contact.getquick."
    },
    {
      "lang": "es",
      "value": "Quick Search API en CiviCRM 4.2.0 hasta la versi\u00f3n 4.2.9 y 4.3.0 hasta 4.3.3 permite a usuarios remotos autenticados evadir la capa de validaci\u00f3n y llevar a cabo ataques de inyecciones de SQL a trav\u00e9s de peticiones directas hacia una \"segunda capa\" de la API, relacionada con contact.getquick."
    }
  ],
  "id": "CVE-2013-4662",
  "lastModified": "2024-11-21T01:56:00.967",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-01-29T18:55:26.637",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://issues.civicrm.org/jira/browse/CRM-12765"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://issues.civicrm.org/jira/browse/CRM-12765"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

cve-2013-4662

Vulnerability from cvelistv5

Published

2014-01-29 18:00

Modified

2024-08-06 16:52