Published: Mi., 16 Okt. 2024 13:00:01 -0700
CiviCRM generates *.pdf
files with the assistance of a PDF engine. It is compatible with multiple engines, including the default DOMPDF and the alternative wkhtmltopdf
. The latter option is now unsupported and insecure. Sites should remove it.
(Note: wkhtmltopdf
is not distributed by CiviCRM. This is a public service announcement to alert people who may have installed wkhtmltopdf
as an add-on.)
Published: Mi., 16 Okt. 2024 12:00:07 -0700
The helper function CRM_Utils_File::cleanDir()
is used to cleanup certain data folders. In some situations, it might be tricked into deleting additional files outside of the target directory.
Published: Mi., 16 Okt. 2024 12:00:06 -0700
There are stored cross-site scripting vulnerabilities involving some variations of the "name" and "source" fields in certain backend screens.
Published: Mi., 16 Okt. 2024 12:00:05 -0700
Multiple AJAX end-points may be vulnerable to Cross Site Request Forgery.
This release updates a large number of older end-points originating circa CiviCRM 1.x-3.x. Detailed severity ratings were not assessed for all these end-points, but several samples were assessed. The severity ranged from "Not Critical" to "Moderately Critical". Thus, the overall issue is classified as "Moderately Critical".
Published: Mi., 16 Okt. 2024 12:00:04 -0700
In some parts of the CiviCRM administrative interface, the "Copy" or "Clone" actions are vulnerable to cross-site request forgery.
Published: Mi., 19 Juni 2024 12:00:03 -0700
CiviCRM uses the Smarty template system for high-trust content (built-in template files, written by developers) and low-trust content (user-supplied templates, written by back-office users). Low-trust content is subject to sandboxing, but there were issues in how this was applied.
Published: Mi., 19 Juni 2024 12:00:02 -0700
Web-pages which use the "Resources" API to inject JSON data ("settings") may create vectors for XSS attacks.
Published: Mi., 19 Juni 2024 12:00:01 -0700
Within the "View Contact" screen and its sub-pages, there were multiple cross-site scripting vulnerabilities.
Published: Mi., 06 Sep 2023 23:59:01 -0700
CiviCRM includes the Smarty v2 templating engine. Templates are defined by core code, by third-party extensions, and by configurable content. The upstream smarty.net
project has stopped publishing security backports for Smarty v2, so civicrm.org
will do so (until a migration to a newer Smarty is complete).
As part of this, the CiviCRM security team has done a detailed audit to compare recent issues from v2/v3/v4.
Published: Mi., 06 Sep 2023 12:00:15 -0700
CiviEvent included multiple screens with a vulnerability to cross-site scripting (XSS).
Published: Mi., 06 Sep 2023 12:00:14 -0700
Some administrative actions for "Contact" profile-images lacked sufficient validation, making them vulnerable to a cross-site request forgery (CSRF).
Published: Mi., 06 Sep 2023 12:00:13 -0700
In CiviCampaign, the "Survey" functionality includes a field that may be vulnerable to cross-site scripting (XSS).
Published: Mi., 06 Sep 2023 12:00:12 -0700
The package "jquery-validation" may be vulnerable to a Denial of Service (DoS) involving its handling of regular expressions.
We have not identified an attack scenario affecting CiviCRM, but the update appears to be a safe and sensible precaution.
Published: Mi., 06 Sep 2023 12:00:11 -0700
Select2 is an auto-complete widget. In multiple places where CiviCRM uses Select2, it was vulnerable to stored cross-site scripting (XSS) attack.
(We believe that exploiting this requires that both the attacker and the victim have a high-level of access to the same CiviCRM deployment.)
Published: Mi., 06 Sep 2023 12:00:10 -0700
A problematic code pattern was found in ~8 places. Any of these places could be vulnerable a SQL injection (SQLI) attack. However, it is believed that most or all have mitigating factors that prevent exploits.
Published: Mi., 06 Sep 2023 12:00:09 -0700
Users with access APIv3 or APIv4 via any medium (including web-browser) may be able to execute an SQL injection (SQL) attack.
Published: Mi., 06 Sep 2023 12:00:08 -0700
KCFinder provides a file-management dialog for CKEditor 4. It included two vulnerabilities:
- It allowed a "reflected" cross-site scripting (XSS) attack.
- It bypassed a CiviCRM policy option which limits file-uploads. (This bypass was still subject to other restrictions. The likely impact is to allow a "stored" XSS attack. However, it is possible for there to be other impacts.)
Published: Mi., 06 Sep 2023 12:00:07 -0700
Template authors can perform remote code execution (RCE) with a specially crafted call to the {math}
function.
(This issue was identified as part of a general audit of Smarty v2, CIVI-PSA-2023-01.)
Published: Mi., 15 Febr. 2023 12:00:06 -0800
The "dompdf" library has a vulnerability which allows remote code execution. It may be exploited by some backend users.
Published: Mi., 15 Febr. 2023 12:00:05 -0800
The CiviCRM-WordPress module includes a "Quick Add" widget that can be used to trick another user into executing arbitrary HTML and Javascript.
(This vulnerability is similar to "stored cross-site scripting". However, exploiting it requires the backend privilege access CiviCRM
, so it can only be exploited by internal users.)
Published: Mi., 15 Febr. 2023 12:00:04 -0800
CiviCRM's file-upload mechanism includes a guard to limit the range of accepted file-types. However, the guard is too relaxed - in some configurations, this enables a less-privileged data-administrator to execute arbitrary code.
Published: Mi., 04 Jan. 2023 12:00:03 -0800
Asset Builder allows CiviCRM and its extensions to generate dynamic assets. A vulnerability allowed third-parties to trick it into generating assets with unintended inputs.
Exploiting this vulnerability depends on several details (e.g. the asset data-types, input-parameters, and web-domain policies). For the specific assets and configurations that we tested, attacks were substantively constrained by the browsers' "Same Origin Policy". However, other assets and other configurations could be impacted more severely.
Published: Mi., 04 Jan. 2023 12:00:02 -0800
CiviEvent included a vector for reflected cross-site-scripting (XSS) attacks.
Published: Mi., 04 Jan. 2023 12:00:01 -0800
The "Help" subsystem did not sufficiently validate the location/origin of its source files. If combined with a web-based upload tool, this could allow a user to execute arbitrary code.
With CiviCRM's standard upload tools, exploiting this vulnerability requires permission "administer CiviCRM". However, other upload tools (such as CMS plugins) could provide other attack vectors.