Security Risk: 
Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 
  • CiviCRM 5.19.0 - 5.19.1
  • Any previous version of CiviCRM - with extension "org.civicrm.api4" before 4.5.3 or 4.4.4
Fixed Versions: 
  • CiviCRM 5.19.2 - with APIv4 builtin
  • CiviCRM 5.13.7 - with bundled extension "org.civicrm.api4" (v4.4.4)
  • Any previous version of CiviCRM - with extension "org.civicrm.api4" (v4.4.4+ or v4.5.3+)
Publication Date: 
Wednesday, November 20, 2019
Description: 

Several CiviCRM fields are stored with an unconventional "HTML-esque" encoding. Consumers which read or write these fields via APIv4 have been prone to mishandling those strings (which can lead to cross-site scripting vulnerabilities and/or quirky outputs). In APIv3, the issue was previously mitigated by automatically transcoding strings. This revision extends the same mitigation to APIv4.

Most APIv4 consumers should automatically become more secure with this update.

Hypothetically, some APIv4 consumers may need to be revised -- for example, if you independently observed a cross-site scripting vulnerability or miscoded symbol output when handling strings from APIv4, and if you mitigated by explicitly applying "HTML-esque" encoding/decoding, then you may need to retest/revise. However, we have not encountered a consumer like this - and we do not expect this situation to be common.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Tim Otten of CiviCRM for reporting and fixing the issue

References: 

security/core#67