Security Risk:
Moderately Critical
Vulnerability:
Cross Site Scripting
Affected Versions:
CIviCRM 5.13.0 and earlier
Fixed Versions:
CiviCRM version 5.13.4 and 5.7.6
Publication Date:
Wednesday, May 15, 2019
Description:
When determining the installer type that is being used, the variable was not properly validated to ensure that it was ony one of a specific set of installer types.
Solutions:
Upgrade to the latest version of CiviCRM
Credits:
Patrick Figel of Greenpeace for reporting the issue
Seamus Lee of Australian Greens for fixin the issue
References:
security/core#52