Security Advisories

This page lists all security advisories since June 2013. For older security advisories see this post. Security release announcements (starting with v4.2) are also listed here.

To receive future CiviCRM security notices, subscribe to our notifications. Check here for details of our security policy and how to report a suspected security issue.

CIVI-SA-2013-002 - OpenFlashChart XSS

Published: Wed, 05 Jun 2013 09:17:36 -0700

OpenFlashChart is a library used to render dashboards and reports in CiviCRM v3+. The library includes a program written for Adobe Flash which accepts data via query string. The data is not properly sanitisized. If an attacker provides an authorized user with a maliciously constructed link, the attacker can cause the user to execute arbitrary JavaScript code.

CIVI-SA-2013-001 - OpenFlashChart File Upload

Published: Wed, 17 Apr 2013 13:51:00 -0700

Note: This document is being published in June 2013 to conform with our new disclosure format. However, the issue was previously disclosed in detail in a civicrm.org blog-post (April 2013) and in summary in a civicrm.org release-announcement (Nov 2012).

Subscribe to CiviCRM Security Advisories

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2021, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

Security Advisories

CIVI-SA-2013-002 - OpenFlashChart XSS

CIVI-SA-2013-001 - OpenFlashChart File Upload

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

Security Advisories

CIVI-SA-2013-002 - OpenFlashChart XSS

CIVI-SA-2013-001 - OpenFlashChart File Upload

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM