CVE-2013-4662

Severity Score

6.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.

Quick Search API en CiviCRM 4.2.0 hasta la versión 4.2.9 y 4.3.0 hasta 4.3.3 permite a usuarios remotos autenticados evadir la capa de validación y llevar a cabo ataques de inyecciones de SQL a través de peticiones directas hacia una "segunda capa" de la API, relacionada con contact.getquick.

*Credits: N/A

CVSS Scores

NISTv2 6.5

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-06-24 CVE Reserved
2014-01-29 CVE Published
2023-12-12 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://issues.civicrm.org/jira/browse/CRM-12765	2014-02-21
https://civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-api	2014-02-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.2.0 Search vendor "Civicrm" for product "Civicrm" and version "4.2.0"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.2.1 Search vendor "Civicrm" for product "Civicrm" and version "4.2.1"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.2.2 Search vendor "Civicrm" for product "Civicrm" and version "4.2.2"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.2.4 Search vendor "Civicrm" for product "Civicrm" and version "4.2.4"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.2.5 Search vendor "Civicrm" for product "Civicrm" and version "4.2.5"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.2.6 Search vendor "Civicrm" for product "Civicrm" and version "4.2.6"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.2.7 Search vendor "Civicrm" for product "Civicrm" and version "4.2.7"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.2.8 Search vendor "Civicrm" for product "Civicrm" and version "4.2.8"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.2.9 Search vendor "Civicrm" for product "Civicrm" and version "4.2.9"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.3.0 Search vendor "Civicrm" for product "Civicrm" and version "4.3.0"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.3.1 Search vendor "Civicrm" for product "Civicrm" and version "4.3.1"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.3.2 Search vendor "Civicrm" for product "Civicrm" and version "4.3.2"		-		Affected
Civicrm Search vendor "Civicrm"		Civicrm Search vendor "Civicrm" for product "Civicrm"				4.3.3 Search vendor "Civicrm" for product "Civicrm" and version "4.3.3"		-		Affected