Security Risk: 
Moderately Critical
Cross Site Scripting
Affected Versions: 

Up to v4.7.4 and v4.6.15

Fixed Versions: 

v4.7.5+ and v4.6.16+

Publication Date: 
Wednesday, May 4, 2016

This release addresses an issue where it was possible to deliver a cross-site scripting attack through the CiviCRM backend.

To exploit this vulnerability, both the attacker and victim need permission to access the CiviCRM backend, and the victim must visit a specific screen.

For more information about this type of vulnerability, see OWASP's page on Cross Site Scripting.


Any ONE of the following solutions should provide protection:

  • Mattias Michaux
  • Chris Burgess (Fuzion)