GROWING AND SUSTAINING RELATIONSHIPS

Newsletter Signup

You are here

CIVI-SA-2013-002 - OpenFlashChart XSS

Security Risk: 

Moderately Critical

Vulnerability: 

Cross Site Scripting

Affected Versions: 

CiviCRM v3.1.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions: 

CiviCRM v4.2.10 and v4.3.4

Publication Date: 

Monday, June 10, 2013

Description: 

OpenFlashChart is a library used to render dashboards and reports in CiviCRM v3+. The library includes a program written for Adobe Flash which accepts data via query string. The data is not properly sanitisized. If an attacker provides an authorized user with a maliciously constructed link, the attacker can cause the user to execute arbitrary JavaScript code.

Solutions: 

Any ONE of the following solutions will provide protection:

  • Upgrade to CiviCRM v4.3.4 or 4.2.10
  • Upgrade the OpenFlashChart program included with your version of CiviCRM by downloading a security update and replacing the file "packages/OpenFlashChart/open-flash-chart.swf"
  • Remove the file "packages/OpenFlashChart/open-flash-chart.swf". (This will break reports and dashboards.)

Credits: 

CVE: 
randomness