SA-CONTRIB-2015-005 - WikiWiki - SQL injection

WikiWiki module gives you one place to create, share and find wiki pages in your site.

The module did not sanitize user input inside a database query thereby leading to a SQL Injection vulnerability.

CVE identifier(s) issued

• CVE-2015-3346

Versions affected

• WikiWiki 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed WikiWiki module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the WikiWiki module for Drupal 6.x, upgrade to WikiWiki 6.x-1.2

Also see the WikiWiki project page.

Reported by

• Pere Orga provisional member of the Drupal Security Team

Fixed by

• Gabriele Manna the module maintainer

Coordinated by

• Pere Orga provisional member of the Drupal Security Team