CIVI-SA-2017-10 XSS scripting in preimum product name

2017-11-01 09:00
Written by

When creating premium product in CiviCRM, the output of the product name was not properly being escaped as the alternate text when an image was being used for the product. This had the potential on contribution pages to expose credit card information. 

Security Risk
Moderately Critical
Cross Site Scripting
Affected Versions

CiviCRM versions prior to 4.7.26 and 4.6.33

Fixed Versions

CiviCRM version 4.7.26 and 4.6.33


Upgrade to the latest CiviCRM Version

  • 4.7.26
  • 4.6.33

or later

If you cannot upgrade you should apply the following patch



Sean Madsen of Left Join Labs for reporting the issue.

Seamus Lee of Australian Greens for fixing the issue.