Published
2024-06-19 12:00
Web-pages which use the "Resources" API to inject JSON data ("settings") may create vectors for XSS attacks.
Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions
CiviCRM version 5.74.3 and earlier
Fixed Versions
CiviCRM version 5.74.4 and 5.69.6 (ESR)
Publication Date
Solutions
Upgrade to the fixed version of CiviCRM
Credits
Wikimedia Foundation - Eileen McNaughton; CiviCRM - Tim Otten, Coleman Watts
References
security/core!171