CiVI-SA-2020-08: XSS via JS libraries

2020-04-15 12:00
Written by

Two Javascript libraries (QUnit and Google Code Prettify) are used with CiviCRM. These libraries include some assets which can be used in a cross-site scripting attack and which are not required for CiviCRM at runtime.

Security Risk
Cross Site Scripting
Affected Versions

CiviCRM version 5.24.2 and earlier

Fixed Versions

CiviCRM version 5.24.3 and 5.21.3


One or both of the following may be required:

  • (Usual) Upgrade to the latest version of CiviCRM
  • (Unusual) Manually delete unnecessary files. For QUnit, delete all files. For Google Code Prettifier, delete demo files.

Note: Upgrade procedures vary slightly based on the CMS and the system administrator's worfklows. For most, performing the upgrade will also delete the unnecessary files. However, in some cases, an upgraded system may retain unnecessary files. If this happens, the system will display an alert and ask the administrator to delete the files manually.


Cure53 and Mozilla Open Source Support (MOSS) for reporting the isssue
Seamus Lee (JMA Consulting & CiviCRM) and Tim Otten (CiviCRM) for resolving the issue