-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from bypassing the API validation layer in contact.getquick operations. The first vulnerable function (getSearchSQL) directly builds SQL queries using unsanitized user input from search parameters. The second (getContactList) serves as an entry point for AJAX requests, passing raw input to the vulnerable query builder. Both were identified through CVE descriptions referencing 'second layer' API access and the advisory's focus on contact.getquick endpoint handling.
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| civicrm/civicrm-core | composer | >= 4.2.0, < 4.2.9 | 4.2.9 |
| civicrm/civicrm-core | composer | >= 4.3.0, < 4.3.3 | 4.3.3 |