Security Risk: 
Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 
  • CiviCRM before 5.19.2 and before 5.13.7
Fixed Versions: 
  • CiviCRM 5.19.2 and 5.13.7
Publication Date: 
Wednesday, November 20, 2019
Description: 

When loading dashboard dashlets, the system did not properly ensure that the title of the dashlets was properly escaped.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Daniel Compton of Armadillo Sec Ltd for reporting the issue

Patrick Figel of Greenpeace CEE and Seamus Lee of Australian Greens for fixing the issue

References: 

security/core#65