CIVI-SA-2017-10 XSS scripting in preimum product name

Published
2017-11-01 09:00
Written by

When creating premium product in CiviCRM, the output of the product name was not properly being escaped as the alternate text when an image was being used for the product. This had the potential on contribution pages to expose credit card information. 

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM versions prior to 4.7.26 and 4.6.33

Fixed Versions

CiviCRM version 4.7.26 and 4.6.33

Solutions

Upgrade to the latest CiviCRM Version

  • 4.7.26
  • 4.6.33

or later

If you cannot upgrade you should apply the following patch

 

Credits

Sean Madsen of Left Join Labs for reporting the issue.

Seamus Lee of Australian Greens for fixing the issue.

References