This page lists all security advisories since June 2013. For older security advisories see this post. Security release announcements (starting with v4.2) are also listed here.

To receive future CiviCRM security notices, subscribe to our notifications.

CIVI-SA-2017-13 SelectedChild url paramater not properly validated for CiviCRM message templates

When viewing the list of message templates, one could pass through a variable called selectedChild through the URL which would specify which of the two lists it would default to showing. This variable was not properly validated against the known two types (user  and workflow). There is now proper validation on the url parameter

CIVI-SA-2017-09 Shell Injection Vulerabilty in Smarty

As part of CiviCRM's defense in depth program, we have upgraded Smarty following an announcement by them that one of the functions in the Smarty templating engine potentially allowed for shell injection.

Despite this vulnerability in the Smarty library, CiviCRM's usage of Smarty appears to prevent such shell injection vulnerabilities.

CIVI-SA-2017-08 XSS in html link attributes

In a number of locations within the CiviCRM code base there were potentially un-escaped variables passed into html link attributes such as alt and title​. One such example was in event registration pages where administrators were able to set the button text and also the title attribute to anything they chose. This fixes it by properly escaping the content of those attributes. 

CIVI-SA-2016-22 Profile Permission check by-passes in Wordpress

This issue affects your site if it is hosted on WordPress, and you use ACLs to restrict access to contact data.

It was identified that CiviCRM on WordPress CMS did not correctly trigger ACL checks when viewing CiviCRM profile URLs via checksum. This might lead sites to disclose some contact data via profile pages.

CIVI-SA-2016-21 Incorrect Escaping of custom group name in CiviCase

It was identified that inputs were not correctly validated when viewing an activity related to a case, due to custom group title not being properly escaped for SQL generation.

This is mitigated by the fact that an attacker would need to have the "administer CiviCRM" permission, and that the issue only affects sites with CiviCase enabled.

CIVI-SA-2016-20 Lack of validation on contact ids when using apiQuery function.

It was identified that CRM_Contact_BAO_Query::apiQuery did not correctly validate contact ID inputs. This could expose contact data via SQL injection.

This is mitigated by permissions restrictions meaning that anonymous users would not typically be able to exploit this vector.

CIVI-SA-2016-17: Manage CSRF overrides for external profile forms

CiviCRM allows administrators to define custom profile-forms in which constituents enter their names, addresses, custom data, etc. CiviCRM is designed to embed all its forms within a CMS (such as Drupal, Joomla, or WordPress), but some administrators also need to embed profile-forms in an external site or custom HTML document. This has sometimes been accomplished with an "HTML Snippet" technique -- the bare, literal HTML code for a profile-form is manually copied and pasted to an external web site.