Security Risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 

CiviCRM v4.5.0 - v4.5.6

CiviCRM v4.4.0 - v4.4.12

CiviCRM v4.3.0 - v4.3.10

CiviCRM v4.2.0 - v4.2.19

(Older versions: Unassessed)

Fixed Versions: 

CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, and v4.2.20+

 

Publication Date: 
Wednesday, March 4, 2015
Description: 

Cross-Site Scripting (XSS) is a technique used to embed malicious content into the resulting web page. As such, it is pertinent to note that this class of attack targets end-users rather than the web application itself. When this attack is considered “reflected”, a user requests a web page with a payload which is embedded within a crafted hyperlink or a malicious page.

Certain AJAX callbacks in CiviCRM did not properly encode their outputs - making them vulnerable to cross-site scripting attacks.

Solutions: 

Upgrade to CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, or v4.2.20+

Credits: 
  • Sergey Ozernikov (Lateral Security)
  • Chris Burgess and Eileen McNaughton (Fuzion)
  • Peter Haight (Giant Rabbit)
  • Tim Otten (CiviCRM)