CIVI-SA-2021-03: Cross Site Scripting in "Manage Extensions"

2021-03-09 09:00
Written by

The "Manage Extensions" screen provides a list of extensions published by third-party developers. If an extension had a malicious description, it could trick the user's browser into executing Javascript code.

Note: To exploit this, an attacker would need to gain control of a trusted developer account, and they would leave evidence in a public feed. At time of writing, there is no known evidence of previous attack. Resolving this issue prevents future attacks.

Security Risk
Cross Site Scripting
Affected Versions

CiviCRM versions 5.35.0 and earlier

Fixed Versions

CiviCRM version 5.35.1 and ESR version 5.33.3

Publication Date

Upgrade to the latest version of CiviCRM


Dave D for reporting the issue

Seamus Lee of JMA Consulting / CiviCRM Core Team and Monish Deb of JMA Consulting for fixing the issue

Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH for funding the fix