Advisory ID: 
BACKDROP-SA-CONTRIB-2017-007
Vulnerability: 
SQL Injection
Versions affected: 

The module doesn't sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it.  

This vulnerability is mitigated by the fact that a site must have an "Index" resource enabled and the attacker must know the endpoint's URL.

Solution: 

If you use the Services module for Backdrop CMS 1.x, upgrade to services1.x-3.0.2-beta

Reported By: 
Fixed By: 
Coordinated By: