CIVI-SA-2023-03: Asset Builder XSS

Publicat
2023-01-04 12:00
Written by

Asset Builder allows CiviCRM and its extensions to generate dynamic assets. A vulnerability allowed third-parties to trick it into generating assets with unintended inputs.

Exploiting this vulnerability depends on several details (e.g. the asset data-types, input-parameters, and web-domain policies). For the specific assets and configurations that we tested, attacks were substantively constrained by the browsers' "Same Origin Policy". However, other assets and other configurations could be impacted more severely.

Security Risk
Less Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM version 5.56.1 (and earlier), 5.51.3 (and earlier)

Fixed Versions

CiviCRM version 5.57.0, 5.56.2, 5.51.4 (ESR)

Publication Date
Solutions

CiviCRM version 5.57.0, 5.56.2, 5.51.4 (ESR)

Credits

Tim Otten, Seamus Lee

References

security/core#157