CIVI-SA-2019-22: XSS in dashboard titles

Published
2019-11-20 09:00
Written by

When loading dashboard dashlets, the system did not properly ensure that the title of the dashlets was properly escaped.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions
  • CiviCRM before 5.19.2 and before 5.13.7
Fixed Versions
  • CiviCRM 5.19.2 and 5.13.7
Solutions

Upgrade to the latest version of CiviCRM

Credits

Daniel Compton of Armadillo Sec Ltd for reporting the issue

Patrick Figel of Greenpeace CEE and Seamus Lee of Australian Greens for fixing the issue

References

security/core#65