CIVI-SA-2017-13 SelectedChild url paramater not properly validated for CiviCRM message templates

Published
2017-11-01 09:00
Written by

When viewing the list of message templates, one could pass through a variable called selectedChild through the URL which would specify which of the two lists it would default to showing. This variable was not properly validated against the known two types (user  and workflow). There is now proper validation on the url parameter

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM Versions prior to 4.7.26 and 4.6.33

Fixed Versions

CiviCRM Versions 4.7.26 and 4.6.33

Solutions

Upgrade to the latest CiviCRM Version:

  • 4.7.26
  • 4.6.33

or later

If you cannot upgrade apply the following patch

Credits

Sean Madsen of Left Join Labs for reporting the issue

Seamus Lee of Australian Greens for fixing the issue

References