There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:
- CiviCRM v5.19.2
- CiviCRM v5.13.7 ESR
In addition to the security fixes, this release includes several bug fixes.
Below are the security advisories details:
- CIVI-SA-2019-19: SQL injection in "dedupefind"
- CIVI-SA-2019-20: Privilege escalation via leaked key
- CIVI-SA-2019-21: PHP object injection via "Saved Search" and "Report Instance" APIs
- CIVI-SA-2019-22: Cross-site scripting in dashboard titles
- CIVI-SA-2019-23: Incorrect storage encoding for APIv4
- CIVIEXT-SA-2019-02: Cross-site scripting in CiviCase v5 extension
- Member Summary Report - Fix filtering by "Member Since" (dev/core#1406: 15894)
- Contribution Search - Fix issue with displaying cancellation date (dev/core#1391: 15893)
- Contribution Search - Fix issue where search criteria were applied inconsistently (dev/core#1374: 15896)
- Additional Payment Form, Payment API - Calculate "Net Amount" automatically. Remove error-prone field from UI. (dev/core#1409: 15889)
Upgrade now for the most stable CiviCRM experience:
- To download CiviCRM 5.19.2: https://civicrm.org/download
- To download CiviCRM 5.13.7 ESR version: https://civicrm.org/esr
Note: If you use CiviCRM v5.13.7 ESR with the APIv4 extension ("org.civicrm.api4"), you should double-check that your system is running version 4.4.4. In v5.19+, no extra check is necessary.