CIVI-SA-2013-002 - OpenFlashChart XSS

Security Risk: 
Moderately Critical
Cross Site Scripting
Affected Versions: 

CiviCRM v3.1.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions: 

CiviCRM v4.2.10 and v4.3.4

Publication Date: 
Monday, June 10, 2013

OpenFlashChart is a library used to render dashboards and reports in CiviCRM v3+. The library includes a program written for Adobe Flash which accepts data via query string. The data is not properly sanitisized. If an attacker provides an authorized user with a maliciously constructed link, the attacker can cause the user to execute arbitrary JavaScript code.


Any ONE of the following solutions will provide protection:

  • Upgrade to CiviCRM v4.3.4 or 4.2.10
  • Upgrade the OpenFlashChart program included with your version of CiviCRM by downloading a security update and replacing the file "packages/OpenFlashChart/open-flash-chart.swf"
  • Remove the file "packages/OpenFlashChart/open-flash-chart.swf". (This will break reports and dashboards.)