There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:
- CiviCRM v5.10.3
- CiviCRM v5.7.4 ESR
In addition to the security fixes, this release includes two regression fixes.
Below are the security advisories details:
- CIVI-SA-2019-01: Weak Access-Control for File Attachments
- CIVI-SA-2019-02: SQL Injection in "PrevNext" Cache
- CIVI-SA-2019-03: Cross-Site Scripting in "Logging Details" Report
- ...
- 4 comments
- Log in or register to post comments
The latest release of CiviCRM 5.3.1 and 4.6.38 includes security fixes. This is a critical security release, we recommend upgrading to 5.3.1 and 4.6.38 to ensure the security of your site and data as soon as possible.
- CIVI-SA-2018-07 Remote code execution in QuickForm
- CIVI-SA-2018-06 Reflected XSS in context parameter
- CIVI-SA-2018-05 Reflected XSS in contact merge screen
- CIVI-SA-2018-04 SQL injection in custom groups
- CIVI-SA-2018-03 Reflected...
Please note that 4.6.33, 4.7.26, and 4.7.27 are security releases. All releases include the latest security fixes, and 4.7.27 includes additional bug fixes and enhancements (as a typical monthly release).
Please see below links to the security advisories:
- CIVI-SA-2017-08 XSS in HTML link attributes
- CIVI-SA-2017-09 Shell injection vulnerability in smarty
- CIVI-SA-2017-10 XSS scripting in premium product name
- CIVI-SA-2017-11 XSS in dedupe ...
Please note that release 4.7.21 and 4.6.29 are security releases. Please see below links to the security advisories:
- CIVI-SA-2017-01 Pingback URL not encrypted
- CIVI-SA-2017-02 Privilage escalation via leaked key
- CIVI-SA-2017-03 Cross site scripting in the recently viewed block
- CIVI-SA-2017-04 Incorrect escaping for "On Behalf Of" block
- ...
All sites are strongly encouraged to upgrade to the latest secure versions of CiviCRM: v4.7.14 and v4.6.24.
SECURITY ADVISORIES
- CIVI-SA-2016-19 Order By clause in API not properly being validated
- CIVI-SA-2016-20 Lack of validation on contact ids when using apiQuery function
- CIVI-SA-2016-21 Incorrect Escaping of custom group name in CiviCase
- CIVI-SA-2016-22 Profile Permission check by-passes in Wordpress
- ...
The latest release of CiviCRM 4.6 and 4.7 includes security fixes. We recommend upgrading to 4.7.7 or 4.6.16 to ensure the security of your site and data. The latest releases include 2 moderately critical fixes. A number of other non-security issues have also been fixed in the latest releases.
- CIVI-SA-2016-08: Persistent XSS in CiviCRM backend
- CIVI-SA-2016-07: SQL Injections in AJAX callbacks
Special Thanks
Community support and engagement is the force that sustains and drives CiviCRM forward. This release would not have been possible without the...
The team is super excited to announce that CiviCRM 4.6.9 is now available for downloading AND you can try it out on the 4.6 demo site.
The latest release of CiviCRM 4.6 includes security fixes. While this issue is unlikely to affect the average CiviCRM site, it is recommended to upgrade to the latest version to keep your site as secure as possible.
What's New In CiviCRM 4.6
- New Mailing Interface ( incorporated GSOC 14 Mailing Interface Improvements )
- A/B testing for CiviMail ( incorporated GSOC 14 ...
- 2 comments
- Log in or register to post comments
If you are currently using 4.6.7 and your site uses ACLs to segment access to contacts you are strongly encouraged to upgrade. The 4.6.7 release included a regression in the ACL system which caused certain contact access permissions to behave improperly. The 4.4 LTS branch was unaffected.
The latest version is now available for downloading AND you can try it out on the demo site.
What's New In CiviCRM 4.6
- New Mailing Interface ( incorporated GSOC 14 Mailing Interface Improvements )
- A/B testing for CiviMail ( incorporated GSOC 14 Mailing A/B testing )
- Recurring ...
The latest releases of CiviCRM 4.6 and 4.4 LTS include 2 moderately critical security fixes. While these issues are unlikely to affect the average CiviCRM site, it is recommended to upgrade to the latest version to keep your site as secure as possible.
The latest versions are now available for downloading AND you can try them out on the demo site.
What's New In CiviCRM 4.6
- New Mailing Interface ( incorporated GSOC 14 Mailing Interface Improvements )
- A/B testing for CiviMail...
IATS has been a payment processor extension with CiviCRM for quite a while and has been actively developed & supported. If you are using the IATS extension you can say a quiet thank you to Alan, Karin & Stephen & stop reading.
If, however, you have been using IATS since the dark days before it was an extension and never switched over then it's time to make that change to ensure your site stays secure. Use IATS & need to check? Go to administer -> customise data & screens -> manage extensions and look for IATS. If it says installed - refer to the quiet thank you above (or better yet make a quiet donation to CiviCRM :-).
If not it's time to install the IATS extension https://civicrm.org/extensions/iats-payments - Alan has generously offered to provide support anyone making the transition. You can log an issue on the github repo if you need help -...
Read more