CIVI-SA-2015-002 - Reflected XSS in AJAX callbacks

2015-02-28 21:20
Written by

Cross-Site Scripting (XSS) is a technique used to embed malicious content into the resulting web page. As such, it is pertinent to note that this class of attack targets end-users rather than the web application itself. When this attack is considered “reflected”, a user requests a web page with a payload which is embedded within a crafted hyperlink or a malicious page.

Certain AJAX callbacks in CiviCRM did not properly encode their outputs - making them vulnerable to cross-site scripting attacks.

Security Risk
Moderately Critical
Cross Site Scripting
Affected Versions

CiviCRM v4.5.0 - v4.5.6

CiviCRM v4.4.0 - v4.4.12

CiviCRM v4.3.0 - v4.3.10

CiviCRM v4.2.0 - v4.2.19

(Older versions: Unassessed)

Fixed Versions

CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, and v4.2.20+



Upgrade to CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, or v4.2.20+

  • Sergey Ozernikov (Lateral Security)
  • Chris Burgess and Eileen McNaughton (Fuzion)
  • Peter Haight (Giant Rabbit)
  • Tim Otten (CiviCRM)