Moderate severityNVD Advisory· Published Jan 29, 2014· Updated Apr 29, 2026
CVE-2013-4662
CVE-2013-4662
Description
The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
civicrm/civicrm-corePackagist | >= 4.2.0, < 4.2.9 | 4.2.9 |
civicrm/civicrm-corePackagist | >= 4.3.0, < 4.3.3 | 4.3.3 |
Affected products
13cpe:2.3:a:civicrm:civicrm:4.2.0:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:civicrm:civicrm:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:civicrm:civicrm:4.3.3:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- issues.civicrm.org/jira/browse/CRM-12765nvdVendor Advisory
- civicrm.org/advisory/civi-sa-2013-004-limited-sql-injection-quick-search-apinvdVendor AdvisoryWEB
- github.com/advisories/GHSA-4465-r2hg-v4rjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4662ghsaADVISORY
- issues.civicrm.org/jira/browse/CRM-12765ghsaWEB
News mentions
0No linked articles in our index yet.