CIVI-SA-2023-08: KCFinder XSS

2023-09-06 12:00
Written by

KCFinder provides a file-management dialog for CKEditor 4. It included two vulnerabilities:

  1. It allowed a "reflected" cross-site scripting (XSS) attack.
  2. It bypassed a CiviCRM policy option which limits file-uploads. (This bypass was still subject to other restrictions. The likely impact is to allow a "stored" XSS attack. However, it is possible for there to be other impacts.)
Security Risk
Moderately Critical
Access Bypass
Cross Site Scripting
Affected Versions

CiviCRM version 5.64.3 and earlier

Fixed Versions

CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)

Publication Date

Upgrade to the fixed version of CiviCRM


Dennis Brinkrolf of RIPS Technologies / Cure53 / Mozilla Open Source Support (MOSS).
Seamus Lee of JMA Consulting/CiviCRM.
Tim Otten of CiviCRM.