CIVI-SA-2018-02: Reflected XSS in Reports

2018-07-18 09:00
Written by

When generating a report, users are able to pass filters in the URL. Some filters in contribution reports were not properly escaped. Additionally, on systems that enabled developer output for reports, the developer outputs were not properly escaped.

Extended Reports Extension:

For those CiviCRM users that use the extended reports extension, the CiviCRM Security Team advise that you should upgrade to the latest version of the extended report extension if possible. The extension from version 2.6 onwards will only with CiviCRM versions 4.7+. For of versions before 4.7, the CiviCRM Security Team advises that users should uninstall the extension on their systems.

Security Risk
Cross Site Scripting
Affected Versions

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

Fixed Versions

CiviCRM version 5.3.1 and 4.6.38 (and later)


Update to the latest version of CiviCRM

If you cannot upgrade then apply the following patch:

Patrick Figel of Greenpeace for reporting the issue.
Eileen McNaugton of Wikimedia Foundation and Sean Madsen of Left Join Labs for fixing the issue.