CVE-2013-4662 - OpenCVE

The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Civicrm	Civicrm

Configuration 1 [-]

OR	cpe:2.3:a:civicrm:civicrm:4.2.0:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.1:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.2:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.4:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.5:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.6:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.7:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.8:::::::*
	cpe:2.3:a:civicrm:civicrm:4.2.9:::::::*
	cpe:2.3:a:civicrm:civicrm:4.3.0:::::::*
	cpe:2.3:a:civicrm:civicrm:4.3.1:::::::*
	cpe:2.3:a:civicrm:civicrm:4.3.2:::::::*
	cpe:2.3:a:civicrm:civicrm:4.3.3:::::::*

No data.

References

Link	Providers
http://issues.civicrm.org/jira/browse/CRM-12765
https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-01-29T18:00:00

Updated: 2024-08-06T16:52:26.877Z

Reserved: 2013-06-24T00:00:00

Link: CVE-2013-4662

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2014-01-29T18:55:26.637

Modified: 2014-02-21T19:29:06.233

Link: CVE-2013-4662

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-06-10T00:00:00", "descriptions": [{"lang": "en", "value": "The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the \"second layer\" of the API, related to contact.getquick."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-01-29T17:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://issues.civicrm.org/jira/browse/CRM-12765"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-4662", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the \"second layer\" of the API, related to contact.getquick."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api", "refsource": "CONFIRM", "url": "https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api"}, {"name": "http://issues.civicrm.org/jira/browse/CRM-12765", "refsource": "CONFIRM", "url": "http://issues.civicrm.org/jira/browse/CRM-12765"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:52:26.877Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://issues.civicrm.org/jira/browse/CRM-12765"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-4662", "datePublished": "2014-01-29T18:00:00", "dateReserved": "2013-06-24T00:00:00", "dateUpdated": "2024-08-06T16:52:26.877Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:civicrm:civicrm:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C8CBF12E-640F-4752-8F52-B5B3D4015FC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "0A22C3AE-2E98-465C-B24C-725BEB99E943", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "21DDDCA1-78A1-4FFB-B180-7D0D20FE4FDA", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "8C5B0394-3C38-454F-BF55-82AADCDEBE9A", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "4F3D157E-9132-4EA9-A395-6E46C4C3C032", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "33E5813B-160F-48B2-91B2-4599048028A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "CC6A767A-D530-479B-9E3B-6FB49FD0B8FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "8D80D5F9-B4D9-41C9-B157-3FE31B54EDBF", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "1647D812-6174-4613-B57B-8BEF5C3877C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "074C6767-AC29-4A80-8A51-16DD69BFEAA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "FE6A4EB0-3143-41AF-B4CF-26C736BEF2A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "5B8BBCB1-99D0-4634-BAD6-495B9D040A4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:civicrm:civicrm:4.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "ECC01A92-9252-4184-B11A-39D077E761C5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the \"second layer\" of the API, related to contact.getquick."}, {"lang": "es", "value": "Quick Search API en CiviCRM 4.2.0 hasta la versi\u00f3n 4.2.9 y 4.3.0 hasta 4.3.3 permite a usuarios remotos autenticados evadir la capa de validaci\u00f3n y llevar a cabo ataques de inyecciones de SQL a trav\u00e9s de peticiones directas hacia una \"segunda capa\" de la API, relacionada con contact.getquick."}], "id": "CVE-2013-4662", "lastModified": "2014-02-21T19:29:06.233", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-29T18:55:26.637", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://issues.civicrm.org/jira/browse/CRM-12765"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}