CIVI-SA-2016-08: Persistent XSS in CiviCRM backend

2016-05-03 14:39
Written by

This release addresses an issue where it was possible to deliver a cross-site scripting attack through the CiviCRM backend.

To exploit this vulnerability, both the attacker and victim need permission to access the CiviCRM backend, and the victim must visit a specific screen.

For more information about this type of vulnerability, see OWASP's page on Cross Site Scripting.

Security Risk
Moderately Critical
Cross Site Scripting
Affected Versions

Up to v4.7.4 and v4.6.15

Fixed Versions

v4.7.5+ and v4.6.16+


Any ONE of the following solutions should provide protection:

  • Mattias Michaux
  • Chris Burgess (Fuzion)