CIVI-SA-2020-18: HTML Injection through error message

Published
2020-08-19 09:00
Written by

In certain output media, error messages were not properly escaped.

This issue did not lead directly to cross-scripting, but it could lead to other HTML injections.

Security Risk
Critical
Vulnerability
Other
Affected Versions

CiviCRM version 5.28.0 and earlier

Fixed Versions

CiviCRM version 5.28.1 and 5.27.5 ESR

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Seamus Lee and Coleman Watts of CiviCRM Core Team for fixing the issue

References

CIV-01-008