This page lists all security advisories since June 2013. For older security advisories see this post. Security release announcements (starting with v4.2) are also listed here.

To receive future CiviCRM security notices, subscribe to our notifications. Check here for details of our security policy and how to report a suspected security issue.

CIVI-SA-2016-22 Profile Permission check by-passes in Wordpress

This issue affects your site if it is hosted on WordPress, and you use ACLs to restrict access to contact data.

It was identified that CiviCRM on WordPress CMS did not correctly trigger ACL checks when viewing CiviCRM profile URLs via checksum. This might lead sites to disclose some contact data via profile pages.

CIVI-SA-2016-21 Incorrect Escaping of custom group name in CiviCase

It was identified that inputs were not correctly validated when viewing an activity related to a case, due to custom group title not being properly escaped for SQL generation.

This is mitigated by the fact that an attacker would need to have the "administer CiviCRM" permission, and that the issue only affects sites with CiviCase enabled.

CIVI-SA-2016-20 Lack of validation on contact ids when using apiQuery function.

It was identified that CRM_Contact_BAO_Query::apiQuery did not correctly validate contact ID inputs. This could expose contact data via SQL injection.

This is mitigated by permissions restrictions meaning that anonymous users would not typically be able to exploit this vector.

CIVI-SA-2016-17: Manage CSRF overrides for external profile forms

CiviCRM allows administrators to define custom profile-forms in which constituents enter their names, addresses, custom data, etc. CiviCRM is designed to embed all its forms within a CMS (such as Drupal, Joomla, or WordPress), but some administrators also need to embed profile-forms in an external site or custom HTML document. This has sometimes been accomplished with an "HTML Snippet" technique -- the bare, literal HTML code for a profile-form is manually copied and pasted to an external web site.

CIVI-SA-2016-14: Improve permissions on backend scripts

CiviCRM includes a handful of backend scripts (bin/migrate/*.php and bin/encryptDB.php) which facilitate some special workflows (such as migrating site-configurations and obfuscating the database). These scripts include security protections, but -- depending on your organizational policies -- these protections may be inadequate. CiviCRM v4.7.11+ tightens access to these scripts.

Who is impacted?

In older versions, the security of these scripts rests on three things: a username, a password, and the site-key.

CIVI-SA-2016-11: Potential backtrace leak

An automated security audit (based on static code analysis of the CiviCRM codebase) indicated that a dependency (PEAR CLI from the "packages" folder) could potentially reveal semi-sensitive backtrace data if an attacker could run it and provoke an error.

An exploit of this has not been identified.

As a precautionary measure, CiviCRM v4.7.11 removes PEAR CLI.

CIVI-SA-2016-16: Improve permissions for SQL imports

CiviCRM allows users to import contacts using CSV or SQL. Prior to 4.7.11 (or 4.6.21), the permission "import contacts" allowed users to import by any means -- either CSV or SQL. A user with this permission could use it to bypass ACL rules. Beginning with 4.7.11+ (or 4.6.21+), there is now a separate permission "import SQL datasource". If you want your users to be able to import contacts using SQL, you must now grant both permissions ("import contacts" and "import SQL datasource").

CIVI-SA-2016-08: Persistent XSS in CiviCRM backend

This release addresses an issue where it was possible to deliver a cross-site scripting attack through the CiviCRM backend.

To exploit this vulnerability, both the attacker and victim need permission to access the CiviCRM backend, and the victim must visit a specific screen.

For more information about this type of vulnerability, see OWASP's page on Cross Site Scripting.

CIVI-SA-2016-01: Path disclosure

The 4.6.11 release of CiviCRM addresses an issue whereby directly accessing certain CiviCRM files could reveal the full path of the active CiviCRM installation.

This is Full Path Disclosure and while not directly exploitable, in combination with other attacks it may weaken the security of an installation.

For more information on this type of vulnerability, see OWASP's page on Full Path Disclosure.