Security Advisories

CiviCRM's qfKey protects against cross-site request-forgery (CSRF) attacks. The handling of the qfKey is weaker than expected.

Upgrade Note: The update changes the representation of the qfKey. If you apply the update at the same time that an active user is working with a web form, then the user may temporarily retain an old (invalid) qfKey. Their next form-submission may fail. However, this is quickly resolve by reloading the form (or navigating to any other form).

When embedding a saved-search in a custom form, administrators may pre-configure mandatory filter-criteria. In some cases, the mandatory criteria can be bypassed.

An authenticated user with permission to view file-attachments may be able to move/remove arbitrary files on the server.

Upgrade Note: This update constrains access to APIv4's File entity and the recently added option, move_file. The constraint parallels a similar constraint in APIv3's Attachment. To use the move_file option, you must invoke the API through a trusted channel (e.g. PHP-API) and set checkPermissions=>FALSE.

Some pop-up dialogs which include user-supplied titles may be vulnerable to cross-site scripting.

In the handling of Contact profile-images, there is a vulnerability to cross-site request forgery.

When submitting an invalid request, the request appears to be properly denied - but (in some cases) it still continues to execute.

This issue affects Drupal and Backdrop. It does not affect WordPress or Joomla. It may theoretically affect some versions of Standalone.

CiviCRM generates *.pdf files with the assistance of a PDF engine. It is compatible with multiple engines, including the default DOMPDF and the alternative wkhtmltopdf. The latter option is now unsupported and insecure. Sites should remove it.

(Note: wkhtmltopdf is not distributed by CiviCRM. This is a public service announcement to alert people who may have installed wkhtmltopdf as an add-on.)

The bundled library "PhpSpreadsheet" has issued multiple security advisories.

The helper function CRM_Utils_File::cleanDir() is used to cleanup certain data folders. In some situations, it might be tricked into deleting additional files outside of the target directory.

There are stored cross-site scripting vulnerabilities involving some variations of the "name" and "source" fields in certain backend screens.

Multiple AJAX end-points may be vulnerable to Cross Site Request Forgery.

This release updates a large number of older end-points originating circa CiviCRM 1.x-3.x. Detailed severity ratings were not assessed for all these end-points, but several samples were assessed. The severity ranged from "Not Critical" to "Moderately Critical". Thus, the overall issue is classified as "Moderately Critical".

In some parts of the CiviCRM administrative interface, the "Copy" or "Clone" actions are vulnerable to cross-site request forgery.

CiviCRM uses the Smarty template system for high-trust content (built-in template files, written by developers) and low-trust content (user-supplied templates, written by back-office users). Low-trust content is subject to sandboxing, but there were issues in how this was applied.

Web-pages which use the "Resources" API to inject JSON data ("settings") may create vectors for XSS attacks.

Within the "View Contact" screen and its sub-pages, there were multiple cross-site scripting vulnerabilities.

CiviCRM includes the Smarty v2 templating engine. Templates are defined by core code, by third-party extensions, and by configurable content. The upstream smarty.net project has stopped publishing security backports for Smarty v2, so civicrm.org will do so (until a migration to a newer Smarty is complete).

As part of this, the CiviCRM security team has done a detailed audit to compare recent issues from v2/v3/v4.

CiviEvent included multiple screens with a vulnerability to cross-site scripting (XSS).

Some administrative actions for "Contact" profile-images lacked sufficient validation, making them vulnerable to a cross-site request forgery (CSRF).

In CiviCampaign, the "Survey" functionality includes a field that may be vulnerable to cross-site scripting (XSS).

The package "jquery-validation" may be vulnerable to a Denial of Service (DoS) involving its handling of regular expressions.

We have not identified an attack scenario affecting CiviCRM, but the update appears to be a safe and sensible precaution.

Select2 is an auto-complete widget. In multiple places where CiviCRM uses Select2, it was vulnerable to stored cross-site scripting (XSS) attack.

(We believe that exploiting this requires that both the attacker and the victim have a high-level of access to the same CiviCRM deployment.)

A problematic code pattern was found in ~8 places. Any of these places could be vulnerable a SQL injection (SQLI) attack. However, it is believed that most or all have mitigating factors that prevent exploits.

Users with access APIv3 or APIv4 via any medium (including web-browser) may be able to execute an SQL injection (SQL) attack.

KCFinder provides a file-management dialog for CKEditor 4. It included two vulnerabilities:

1. It allowed a "reflected" cross-site scripting (XSS) attack.
2. It bypassed a CiviCRM policy option which limits file-uploads. (This bypass was still subject to other restrictions. The likely impact is to allow a "stored" XSS attack. However, it is possible for there to be other impacts.)

Template authors can perform remote code execution (RCE) with a specially crafted call to the {math} function.

(This issue was identified as part of a general audit of Smarty v2, CIVI-PSA-2023-01.)