CIVI-SA-2020-10: Cross Site Scripting in Activity Details

Published
2020-08-19 09:00
Written by

When viewing an activity, the activity details were not sufficiently filtered to prevent cross-site scripting attacks.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM version 5.28.0 and earlier

Fixed Versions

CiviCRM version 5.28.1 and 5.27.5 ESR

Publication Date
Solutions

Upgrade to the latest version

Credits

Sean Colesen of Left Join Labs and Patrick Figel of Greenpeace CCE for reporting the issue
Seamus Lee of CiviCRM Core Team for fixing the issue

References

security/core#78
CRM-21010