Security Risk: 
Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 
  • CiviCase v5 extension ("org.civicrm.civicase") prior to v1.1
Fixed Versions: 
  • CiviCase v5 extension ("org.civicrm.civicase") v1.1
Publication Date: 
Thursday, November 21, 2019
Description: 

This SA only affects users of the CiviCase v5 extension. In versions prior to 1.1, the extension did not properly escape the "Subject" field when using the in-place editor.

Solutions: 

Upgrade to the latest version of the "org.civicrm.civicase" extension

Credits: 

Daniel Compton of Armadillo Sec Ltd for reporting the issue

Seamus Lee of Australian Greens for fixing the issue

References: 

security/core#64