This page lists all security advisories since June 2013. For older security advisories see this post. Security release announcements (starting with v4.2) are also listed here.

To receive future CiviCRM security notices, subscribe to our notifications. Check here for details of our security policy and how to report a suspected security issue.

CIVI-SA-2016-01: Path disclosure

The 4.6.11 release of CiviCRM addresses an issue whereby directly accessing certain CiviCRM files could reveal the full path of the active CiviCRM installation.

This is Full Path Disclosure and while not directly exploitable, in combination with other attacks it may weaken the security of an installation.

For more information on this type of vulnerability, see OWASP's page on Full Path Disclosure.

CIVI-SA-2015-009: Incorrect escaping of user input

There was a bug in one of CiviCRM's internal type checks which may allow inappropriate user input to be saved to the database and/or displayed.

This was a general weakness in one of CiviCRM's security layers; no specific exploits of this have been identified. This type of vulnerability could potentially allow attackers to save malicious content to the database or display it to site users.

CIVI-SA-2015-008: ACL bypass in 4.6.7

CiviCRM 4.6.7 introduced an access bypass issue which applied a limited number of sites.

The issue affected only certain configurations, where the site used ACLs to limit access, and applied to users whose permissions included “access CiviCRM” and “view my contact” but not “view all contacts”. Changes introduced in CRM-16512 allowed the “view my contact” permission for those users to incorrectly grant access to all contacts.

CIVI-SA-2015-005 - SQL Injection in CiviMail Backend

The backend CiviMail composition screen includes an input field which is passed to a SQL query without proper escaping.

An exploit of this vulnerability in CiviCRM has not been identified. Additional filters apply to the field which block a number of SQL control characters. Never-the-less, it could potentially be combined with other vulnerabilities, and we're issuing a patch as a precaution.

CIVI-SA-2015-004 - Malicious Smarty file naming

The Smarty templating engine includes a defect in which a specially named Smarty template could be used to execute PHP code.

An exploit of this vulnerability in CiviCRM has not been identified. Exploiting it requires that an attacker have permission to set the name and content of a template file; in CiviCRM deployments, this permission is generally only available to system administrators. Never-the-less, it could potentially be combined with other vulnerabilities, and we're issuing a patch as a precaution.

CIVI-SA-2015-003 - Persistent XSS in Drupal watchdog integration

By default, CiviCRM records log entries in a flat text file. Optionally, log entries may be directed to Drupal's watchdog() service. If this option is enabled, and if a log entry includes user-supplied data, the user-supplied data may not be correctly encoded. When an administrator browses the log entries, they may be exposed to a cross-site scripting attack.

CIVI-SA-2015-002 - Reflected XSS in AJAX callbacks

Cross-Site Scripting (XSS) is a technique used to embed malicious content into the resulting web page. As such, it is pertinent to note that this class of attack targets end-users rather than the web application itself. When this attack is considered “reflected”, a user requests a web page with a payload which is embedded within a crafted hyperlink or a malicious page.

Certain AJAX callbacks in CiviCRM did not properly encode their outputs - making them vulnerable to cross-site scripting attacks.

CIVI-SA-2014-006 - Access bypass in CiviCase

CiviCase functionality includes several urls which allow a user to view and edit a limited amount of case info. Some of these urls were not adequately checking permissions and could be used by any user with "Access CiviCRM" permission.

This problem only affects sites using the CiviCase component. It is mitigated by the fact that the user must have "Access CiviCRM," a permission not normally granted to untrusted users.

CIVI-SA-2014-004 - Information Disclosure

CiviCRM uses AJAX callbacks to provide advisory details while completing certain forms. For example, when registering a new user through a profile form, CiviCRM issues an AJAX request to determine whether the username is available.

Some AJAX callbacks did not test for authorization, enabling untrusted parties to:

  • Determine whether a username was in-use
  • Determine the primary email address for a given contact ID
  • Determine the list of available options in certain custom-field

CIVI-SA-2014-003 - Insecure handling of profile settings

The CiviCRM Profile subsystem allows administrators to design customized forms. The subsystem includes some advanced workflow settings which are not securely handled. By submitting a custom-crafted form to the Profile subsystem, an attacker may manipulate these settings. This vulnerability can be leveraged to acquire escalated privileges and (possibly) to issue open redirects.

CIVI-SA-2014-002 - Risk of Information Disclosure by Anonymous Users

A small number of CiviCRM entry points had faulty permission checks. This could allow hackers, under certain circumstances, to view basic contact information such as name, email, phone, or address for contacts in the database.

The risk is limited to viewing basic contact information - it does not include contributions, memberships, passwords or other data. It does not give hackers the ability to login or make changes to the database.

All sites are advised to upgrade immediately to avoid the potential risk.

CIVI-SA-2014-001 - Risk of Information Disclosure

In its default configuration, CiviCRM places some uploaded and server-generated data in the CMS's data folder (such as Drupal's "sites/default/files" or Joomla's "media"). This folder is web-accessible, but many of the documents processed by CiviCRM should not be web-accessible. If CiviCRM's data folders are not suitably protected from web access, then sensitive information may be disclosed.

CIVI-SA-2013-008 - Use SSL to retrieve information from civicrm.org

CiviCRM v3.3 introduced the extensions directory which retrieves extension listings and extension code via HTTP, and v4.3 introduced a new dashboard feed which displays news and updates retrieved from CiviCRM.org. Before v4.3.5 these were retrieved over an unencrypted channel, which raises the possibility of an attacker injecting malicious code via a "man in the middle" (MITM) attack.

In version v4.3.5+, this data will be retrieved over SSL, which will reduce the potential for malicious content injection.