CVE-2013-5957

critical

Description

Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in CiviCRM before 4.2.12, 4.3.x before 4.3.7, and 4.4.x before 4.4.beta4 allow remote attackers to execute arbitrary SQL commands via the _value parameter to (1) ajax/jqState or (2) ajax/jqcounty.

References

https://www.navixia.com/company/navixia-news/395-navixia-finds-critical-vulnerability-in-civicrm.html

https://github.com/civicrm/civicrm-core/pull/1708.diff

https://civicrm.org/advisory/civi-sa-2013-009-sql-injection-vulnerability

Details

Source: Mitre, NVD

Published: 2013-11-27

Updated: 2021-04-16

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical