CIVI-SA-2017-15 Extension Key not properly validated when adding or disabling or uninstalling extension

2017-11-01 09:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

There wasn't any validation on the key url parameter which allowed for some cross site scripting to potentially occur. The fix is to add in validation to ensure the key is of normal standard extension key pattern.

Security Risk
Cross Site Scripting
Affected Versions

CiviCRM Versions prior to 4.7.26 and 4.6.33

Fixed Versions

CiviCRM Versions 4.7.26 and 4.6.33


Upgrade to the latest version of CiviCRM:

  • 4.7.26
  • 4.6.33

or later

If you cannot upgrade apply the following patch:


Sean Madsen of Left Join Labs for reporting and helping to fix the issue.

Seamus Lee of Australian Greens for fixing the issue.