CiviCRM 5.24.3 Security Release (and ESR 5.21.3) | CiviCRM

Published

2020-04-15 15:00

Written by

dev-team - official CiviCRM announcement

Important Notice: This is a security release. We recommend you immediately upgrade to one of the following versions:

CiviCRM 5.24.3 (download)
CiviCRM 5.21.3 ESR (signup)

Below are the security advisories details:

CIVI-SA-2020-01: Sanitize Entity Name
CIVI-SA-2020-02: API Key Disclosure
CIVI-SA-2020-03: PHP Code Execution via Phar Deserialization
CIVI-SA-2020-04: Cross Site Scripting within CiviCase Reports
CIVI-SA-2020-05: SQL Injection in Campaign Summary and Delete Activity
CIVI-SA-2020-06: SQLI in Query Builder
CIVI-SA-2020-07: CSRF in Scheduled Jobs
CIVI-SA-2020-08: XSS via JS libraries

Support CiviCRM

We are committed to keeping CiviCRM free and open, forever. We depend on your support to help make that happen.

Make a donation or contribute to a Make it happen campaign.
If your organization wants to support our work, please become a member today.
If you are a CiviCRM service provider, please become a partner.

Filed under

Security Releases

Extended Security Release

Release announcements

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2025, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D10]