CIVIEXT-SA-2019-02: XSS in CiviCase v5 extension

Published
2019-11-20 08:59
Written by

This SA only affects users of the CiviCase v5 extension. In versions prior to 1.1, the extension did not properly escape the "Subject" field when using the in-place editor.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions
  • CiviCase v5 extension ("org.civicrm.civicase") prior to v1.1
Fixed Versions
  • CiviCase v5 extension ("org.civicrm.civicase") v1.1
Solutions

Upgrade to the latest version of the "org.civicrm.civicase" extension

Credits

Daniel Compton of Armadillo Sec Ltd for reporting the issue

Seamus Lee of Australian Greens for fixing the issue

References

security/core#64