CIVI-SA-2024-01: View Contact XSS

Published
2024-06-19 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

Within the "View Contact" screen and its sub-pages, there were multiple cross-site scripting vulnerabilities.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM version 5.74.3 and earlier

Fixed Versions

CiviCRM version 5.74.4 and 5.69.6 (ESR)

Publication Date
Solutions

Upgrade to the fixed version of CiviCRM

Credits

Québec Ministère de la Cybersécurité et du Numérique; Claude Bernard Lyon 1 University - Security team; CiviCRM/JMA Consulting - Seamus Lee; Greenpeace Central and Eastern Europe - Patrick Figel; Coop SymbioTIC - Mathieu Lutfy; CiviCRM - Tim Otten

References

security/core#130, security/core#133, security/core#173, security/core#174