Please note that 4.6.33, 4.7.26, and 4.7.27 are security releases. All releases include the latest security fixes, and 4.7.27 includes additional bug fixes and enhancements (as a typical monthly release).
Please see below links to the security advisories:
- CIVI-SA-2017-08 XSS in HTML link attributes
- CIVI-SA-2017-09 Shell injection vulnerability in smarty
- CIVI-SA-2017-10 XSS scripting in premium product name
- CIVI-SA-2017-11 XSS in dedupe rules
- CIVI-SA-2017-12 XSS in tag descrption
- CIVI-SA-2017-13 Selectedchild URL parameter not properly validated for CiviCRM message templates
- CIVI-SA-2017-14 XSS in search criteria description
- CIVI-SA-2017-15 Extension key not properly validated when adding or disabling or uninstalling extension
CIVI-SA-2017-16 SQL injection risk in CiviReports listing
WHAT'S NEW IN CIVICRM 4.7.27
- Core CiviCRM updates:
Adding the ability to add icons to menu items. More details.
Convert civicrm_subscription_history.date to timestamp from datetime for new installs. More details.
Allow Inline View of Files Instead of Download. More details.
Provide option to filter by contact id & external id. More details.
Survey detail report lacks date options, more details.
Activity API - fetch case details. More details.
find cases: search by case ID and subject. More details.
Make event_type_id available in event message templates. More details.
Make contact custom fields available in Membership Detail report. More details.
And many other bug fixes and improvements!
Authorize.net users:: Prior to 4.7, CiviCRM forced Authorize.net to send out receipt emails regardless of Authorize.net configuration. From 4.7 onwards this will not happen and you should log into your Authorize.net interface and configure whether you want Authorize.net to send out receipts (in addition to those sent by CiviCRM).
Lybunt report users:: Some fields that were previously mandatory on Lybunt are now optional. On new reports they are on by default but you might need to check the fields you want are selected for existing reports.