Published: Wed, 15 Apr 2020 12:00:03 -0700
Backend users may be able to upload and execute a maliciously crafted "PHAR" file.
The "PharExtensionInterceptor" library from Typo3 addresses this problem. Many projects - including the current Drupal and Joomla releases - already activate this protection and are already secure. However, some environments - such as WordPress - do not have it. This update extends the protection to all CiviCRM-supported environments.
Published: Wed, 15 Apr 2020 12:00:02 -0700
Using a carefully crafted request, a backend user could determine the API credentials of another user.
Published: Wed, 15 Apr 2020 12:00:01 -0700
When processing a CiviCRM API request, the entity name was not properly validated. This could potentially lead to loading an arbitrary file on the server.
Published: Wed, 04 Dec 2019 09:00:24 -0800
The AJAX end-point for APIv4 was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into performing privileged actions on the CiviCRM site.
Published: Wed, 20 Nov 2019 09:00:23 -0800
Several CiviCRM fields are stored with an unconventional "HTML-esque" encoding. Consumers which read or write these fields via APIv4 have been prone to mishandling those strings (which can lead to cross-site scripting vulnerabilities and/or quirky outputs). In APIv3, the issue was previously mitigated by automatically transcoding strings. This revision extends the same mitigation to APIv4.
Most APIv4 consumers should automatically become more secure with this update.
Published: Wed, 20 Nov 2019 09:00:22 -0800
When loading dashboard dashlets, the system did not properly ensure that the title of the dashlets was properly escaped.
Published: Wed, 20 Nov 2019 09:00:21 -0800
Both the "SavedSearch" and "ReportInstance" APIs accept certain inputs using "serialized" PHP notation. Accepting untrusted values in this notation leads to a "PHP Object Injection" (POI) vulnerability - which can potentially escalate to an "Arbitary Code Execution" vulnerability.
The APIs now accept a restricted subset of "serialized" notation - the APIs will only accept basic data (arrays, strings, numbers, etc). This prohibits PHP object construction and retains backward compatibility with typical API inputs.
Published: Wed, 20 Nov 2019 09:00:20 -0800
The field "api_key" has special security rules when accessed via the API. These rules could potentially be bypassed and lead to privilege escalation.
Published: Wed, 20 Nov 2019 09:00:19 -0800
The "dedupefind" endpoint facilitates de-duplication of contacts. The endpoint had a SQL injection vulnerability.
Published: Wed, 20 Nov 2019 08:59:02 -0800
This SA only affects users of the CiviCase v5 extension. In versions prior to 1.1, the extension did not properly escape the "Subject" field when using the in-place editor.
Published: Wed, 15 May 2019 09:00:18 -0700
When determining the installer type that is being used, the variable was not properly validated to ensure that it was ony one of a specific set of installer types.
Published: Wed, 15 May 2019 09:00:17 -0700
When preparing the query for finding events for the Manage Events page, the event type parameter was not properly escaped.
Published: Wed, 15 May 2019 09:00:16 -0700
When generating a query for finding particular checkbox values, the query was not properly being escaped before being passed onto the database.
Published: Wed, 15 May 2019 09:00:15 -0700
In CiviCRM systems which accept file attachments, a malicious user could perform a cross-site scripting attack. This attack involved accessing the "civicrm/file" path with a forged value in the parameter "&mime-type=...".
The solution involved a few subtle changes in the public-facing contract for "civicrm/file". If you have a customization which relies on this route, you may want to consider the details:
Published: Wed, 15 May 2019 09:00:14 -0700
In CiviCRM APIv3, a generic action ("getOptions") inappropriately propagated an advanced option ("condition") to a lower level function, which effectively allowed a caller to include arbitary SQL conditions. The "getOptions" API will now ignore the "condition" option.
Published: Wed, 15 May 2019 09:00:13 -0700
PHP libraries and applications sometimes have vulnerabilities in which an attacker may inappropriately request construction of an object. The patch in this release does not deal with a specific vulnerability. Rather, it is defense in depth -- it removes an escalation vector by which hypothetical vulnerabilities (in CiviCRM or a related PHP library/application) could become more severe.
Published: Wed, 15 May 2019 09:00:12 -0700
When processing country, state, province, or county references, some values were not properly validated - which enabled a SQL-injection (SQLI) vulnerability.
Published: Wed, 15 May 2019 09:00:10 -0700
TCPDF converts HTML content to PDF. The library had vulnerabilities, including cross-site scripting and remote code execution. The library has now been upgraded to a fixed version.
Published: Wed, 15 May 2019 09:00:09 -0700
CiviCRM includes the PHPWord library. PHPWord v0.14 is vulnerable to an XML external entity attack - which is resolved in v0.15.
Published: Wed, 15 May 2019 08:00:01 -0700
To be affected APIv4 must be installed not just exist on the filesytem.
The latest release of APIv4 addresses 2 vulnerabilities:
Published: Fri, 22 Feb 2019 09:00:45 -0800
This vulnerability allowed attackers to access the content of arbitrary files (in a common configuration).
NOTE: The patch-set for this issue overlapped with the patch-set for CIVI-SA-2019-01, but the cause, exploit, and risks are distinct.
Published: Wed, 20 Feb 2019 09:00:07 -0800
Published: Wed, 20 Feb 2019 09:00:06 -0800
When Contact entity fields are added to forms, the display name label wasn't properly sanitised.
Published: Wed, 20 Feb 2019 09:00:05 -0800
The "Currency" element of a new pledge was not properly validated, which could potentially lead to a cross-site scripting attack.