CIVI-SA-2017-03: Cross Site Scripting in the recently viewed block

Published
2017-07-05 23:00
Written by

In the "Recently Viewed" block, the title field of the hyperlink was not properly escaped.

Security Risk
Less Critical
Vulnerability
Cross Site Scripting
Affected Versions
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions
  • 4.7.21
  • 4.6.29
Solutions

Upgrade to the latest CiviCRM version

If you cannot upgrade you should apply the following patch:

Credits

Chris Burgess of Fuzion Aotearoa for reporting the issue

Sean Madsen for fixing the issue

 

References

https://issues.civicrm.org/jira/browse/CRM-20046