CiviCRM Security Release (5.13.4, 5.7.6 ESR, API v.4) | CiviCRM

Publicat

2019-05-16 04:17

Written by

dev-team - official CiviCRM announcement

There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:

CiviCRM v5.13.4
CiviCRM v5.7.6 ESR

Below are the security advisories details:

CIVI-SA-2019-09: XXE in PHPWord
CIVI-SA-2019-10: TCPDF XSS and RCE vulnerabilities
CIVI-SA-2019-11: jQuery Object.prototype pollution
CIVI-SA-2019-12: SQLI in "Country", et al
CIVI-SA-2019-13: Harden against unserialize vulnerabilities
CIVI-SA-2019-14: SQLI in APIv3 GetOptions
CIVI-SA-2019-15: XSS via forged MIME type
CIVI-SA-2019-16: SQLI in certain checkboxes
CIVI-SA-2019-17: SQLI in "Manage Events"
CIVI-SA-2019-18: XSS in CiviCRM installer
CIVIEXT-SA-2019-01: Multiple security issues in APIv4

Combined with CiviCRM security release, there is also a security release for API v.4. If you use API v.4 extension, you need to upgrade to:

CiviCRM versions between 5.0.0. and 5.12.x: 4.3.1
CiviCRM versions 5.13.0 and above: 4.4.1

See the security advisory for more details.

Upgrade now for the most stable CiviCRM experience:

To download CiviCRM 5.13.4: https://civicrm.org/download
To download CiviCRM 5.7.6 ESR version: https://civicrm.org/esr

CiviCRM security announcements are available from https://civicrm.org/advisory and via the CiviCRM Security Notifications email list.

Filed under

Release announcements

Security Releases

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]