CIVI-SA-2019-03: XSS in "Logging Details" Report

Published
2019-02-20 09:00
Written by

In the "Logging Details" report, some parameters were not being properly sanitised.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM Versions 5.10.2 and earlier

Fixed Versions

CiviCRM Versions 5.10.3 and 4.7.4

Solutions

Upgrae to the lastest version of CiviCRM.

Credits

Patrick Figel of Greenpeace for reporting the issue.

Seamus Lee of Australian Greens for fixing the issue.

References

security/core#32