Published: Wed, 04 Jan 2023 12:00:03 -0800
Asset Builder allows CiviCRM and its extensions to generate dynamic assets. A vulnerability allowed third-parties to trick it into generating assets with unintended inputs.
Exploiting this vulnerability depends on several details (e.g. the asset data-types, input-parameters, and web-domain policies). For the specific assets and configurations that we tested, attacks were substantively constrained by the browsers' "Same Origin Policy". However, other assets and other configurations could be impacted more severely.
Published: Wed, 04 Jan 2023 12:00:02 -0800
CiviEvent included a vector for reflected cross-site-scripting (XSS) attacks.
Published: Wed, 04 Jan 2023 12:00:01 -0800
The "Help" subsystem did not sufficiently validate the location/origin of its source files. If combined with a web-based upload tool, this could allow a user to execute arbitrary code.
With CiviCRM's standard upload tools, exploiting this vulnerability requires permission "administer CiviCRM". However, other upload tools (such as CMS plugins) could provide other attack vectors.
Published: Wed, 01 Jun 2022 12:00:07 -0700
A vulnerability in processing APIv3 AJAX requests could allow a malicious request to bypass permission checks.
Published: Wed, 06 Apr 2022 12:00:06 -0700
The "dompdf" library has a vulnerability which allows remote code execution. It may be exploited by some backend users.
Published: Wed, 16 Mar 2022 12:00:05 -0700
The exact degree of exploitability for CiviCRM has not been determined.
Published: Wed, 16 Mar 2022 12:00:04 -0700
jQuery UI v1.12 included multiple cross-site scripting vulnerabilities.
It has not been demonstrated that CiviCRM specifically is exploitable. However, it is possible that third-party extensions could use jQuery UI in a vulnerable fashion.
Published: Wed, 16 Mar 2022 12:00:03 -0700
This is not a security vulnerability. It is a mitigation to protect against misconfiguration.
CiviCRM includes a large number of configurable permissions. Administrators may assign these permissions to various users and roles. This is powerful functionality that accommodates diverse needs, but it provides the opportunity for misconfiguration.
Misconfigurations may arise for a few reasons, such as:
Published: Wed, 16 Mar 2022 12:00:02 -0700
When importing "Participant" records for CiviEvent, some inputs were not suitably escaped.
Published: Wed, 16 Mar 2022 12:00:01 -0700
When accessing the Contribution View page insufficient permission checking was occurring which meant that if you knew the url and had the access CiviCRM permission you would be able to view contribution information that you shouldn't have.
Published: Tue, 17 Aug 2021 12:00:09 -0700
CiviCRM includes a rich text editing component, CKEditor, which recently released a security update (v4.16.2). This update addresses 3 security issues.
We expect that these vulnerabilities cannot be meaningfully exploited by automated bots or crawlers - but they may be exploitable with modest social-engineering. Thus, we advise upgrading (or using one of the alternative solutions below).
Published: Wed, 21 Apr 2021 09:00:08 -0700
Some permissions were not being checked adequately before returning results from the CiviCRM APIv4. This did not affect everyday use of CiviCRM, but an attacker could potentially exploit this to bypass security checks and read private data from the database. To date there are no known sites that have been compromised due to this bug. APIv3 was not affected.
Published: Mon, 22 Mar 2021 01:59:30 -0700
(This is a public service announcement related to security functionality. It does not detail an exploitable vulnerability. Rather, we wish to advise administrators and developers about an on-going change to improve security.)
CiviCRM v3.1 introduced a helper "CRM_Utils_Crypt" which encrypted the SMTP password. This mechanism is being phased-out circa 5.34 in favor of a more secure mechanism. We will briefly consider the purpose of the mechanism, some of its issues, and the details of the change.
Published: Thu, 11 Mar 2021 09:00:07 -0800
In the Joomla integration, some references to user-account records were not properly sanitized.
Published: Tue, 09 Mar 2021 09:00:06 -0800
CiviCRM's REST API traditionally requires two keys, the "API Key" and the "Site Key". The "Site Key" could potentially be extracted by a "timing attack". In this scenario, an attacker would send many invalid requests, build a statistical profile, and infer the most likely value.
Published: Tue, 09 Mar 2021 09:00:05 -0800
The introduction text on a Personal Campaign Page (PCP) was not properly sanitised prior to display on the Personal Campaign page.
Published: Tue, 09 Mar 2021 09:00:04 -0800
When generating the example code in the APIv4 Explorer, the user entered data was not properly sanitised before displaying as example code within the Explorer.
Published: Tue, 09 Mar 2021 09:00:03 -0800
Note: To exploit this, an attacker would need to gain control of a trusted developer account, and they would leave evidence in a public feed. At time of writing, there is no known evidence of previous attack. Resolving this issue prevents future attacks.
Published: Tue, 09 Mar 2021 09:00:02 -0800
The development tree for CiviCRM includes a handful of utility scripts in the folders "sql/" and "tools/". These scripts may manipulate data (e.g. generating fake contact records), and they lacked guards to protect from remote/malicious use.
This issue does not affect most deployments which use the standard CiviCRM releases ("*.tar.gz" or "*.zip"). The issue primarily affects developmental/testing systems or highly-customized deployments which directly read from CiviCRM's source code-management system ("git").
Published: Tue, 09 Mar 2021 09:00:01 -0800
This vulnerability does not escalate the permissions of the user. However, if the user imports data from another application/system, then it could be used for an attack.
Published: Wed, 19 Aug 2020 09:00:19 -0700
In some situations, users without the permission "edit contributions" could edit recurring contributions.
Published: Wed, 19 Aug 2020 09:00:18 -0700
In certain output media, error messages were not properly escaped.
This issue did not lead directly to cross-scripting, but it could lead to other HTML injections.
Published: Wed, 19 Aug 2020 09:00:17 -0700
For each session, CiviCRM stores a private session key. This patch addresses multiple issues which could compromise the strength or security of the key.
Published: Wed, 19 Aug 2020 09:00:16 -0700
The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are
"[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub."
Those advisories are:
Published: Wed, 19 Aug 2020 09:00:15 -0700
In certain screens, the Activity "Subject" field was not properly escaped to prevent cross site scripting.