|Topic:||Flat file enrollments has various sql injection vulnerabilities|
|Versions affected:||< 1.9.13 (2.x not affected)|
|Reported by:||Matt Meisberger|
|Solution:||upgrade to 1.9.13|
|Workaround:||escape quotes in user upload CSV files|
When uploading a CSV files with fields containing quotes, this could throw off SQL processing. This is only exploitable by admins, but could accidentally lead to DB corruption.