CIVI-SA-2017-08 XSS in html link attributes

Published

2017-11-01 09:00

Written by

dev-team

In a number of locations within the CiviCRM code base there were potentially un-escaped variables passed into html link attributes such as alt and title. One such example was in event registration pages where administrators were able to set the button text and also the title attribute to anything they chose. This fixes it by properly escaping the content of those attributes.

Security Risk

Less Critical

Vulnerability

Cross Site Scripting

Affected Versions

CiviCRM Versions prior to 4.7.26 and 4.6.33

Fixed Versions

CiviCRM Versions 4.7.26 and 4.7.33

Solutions

Either Upgrade to the latest version of CiviCRM

4.7.26
4.6.33

or later

If you cannot upgrade apply the following patch

Credits

Sean Madsen of Left Join Labs for reporting the issue

Seamus Lee of Australian Greens for fixing the issue.

References

CRM-21006

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2017-08 XSS in html link attributes

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2017-08 XSS in html link attributes

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM