CIVI-SA-2024-02: JSON Settings XSS

Published
2024-06-19 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

Web-pages which use the "Resources" API to inject JSON data ("settings") may create vectors for XSS attacks.

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM version 5.74.3 and earlier

Fixed Versions

CiviCRM version 5.74.4 and 5.69.6 (ESR)

Publication Date
Solutions

Upgrade to the fixed version of CiviCRM

Credits

Wikimedia Foundation - Eileen McNaughton; CiviCRM - Tim Otten, Coleman Watts

References

security/core!171