CIVI-SA-2013-002 - OpenFlashChart XSS

OpenFlashChart is a library used to render dashboards and reports in CiviCRM v3+. The library includes a program written for Adobe Flash which accepts data via query string. The data is not properly sanitisized. If an attacker provides an authorized user with a maliciously constructed link, the attacker can cause the user to execute arbitrary JavaScript code.

Security Risk

Moderately Critical

Vulnerability

Cross Site Scripting

Affected Versions

CiviCRM v3.1.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions

CiviCRM v4.2.10 and v4.3.4

Solutions

Any ONE of the following solutions will provide protection:

Upgrade to CiviCRM v4.3.4 or 4.2.10
Upgrade the OpenFlashChart program included with your version of CiviCRM by downloading a security update and replacing the file "packages/OpenFlashChart/open-flash-chart.swf"
Remove the file "packages/OpenFlashChart/open-flash-chart.swf". (This will break reports and dashboards.)

Credits

Deepankar Arora and Rafay Baloch (CXSecurity)
Chris Weber (Joobi Limited)
Bernard Toplak (Joomla VEL Team)
CiviCRM LLC

References

CVE

CVE-2013-1636

CIVI-SA-2013-002 - OpenFlashChart XSS

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2013-002 - OpenFlashChart XSS

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM