CIVI-SA-2017-12 XSS in Tag description

Published
2017-11-01 09:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

Administrators were able to store and have displayed through the description field on a tag cross site scripting code. This would show up when the system tried to display the description as an alt html tag. It has now been changed to properly escape the alt tag

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM Versions prior to 4.7.26

Fixed Versions

CiviCRM Versions 4.7.26

Solutions

Upgrade to the latest version of CiviCRM:

  • 4.7.26

or later

If you cannot upgrade you should apply the following patch

Credits

Sean Madsen of Left Join Labs for reporting the issue.

Seamus Lee of Australian Greens for fixing the issue

References