CIVI-SA-2018-06: Reflected XSS in Context Parameter

Veröffentlicht
2018-07-18 09:00
Written by

The "context" parameter for a number of screens was not properly validated. In some screens, this was found to enable cross-site scripting attacks. To correct the known vulnerability and to guard against potential others, the validation rules have been tightened across a wide range of screens.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

 

Fixed Versions

CiviCRM version 5.3.1 and 4.6.38 (and later)

 

Solutions

Upgrade to the latest version of CiviCRM

Credits
Patrick Figel of Greenpeace for reporting the issue.
 
Sean Madsen of Left Join Labs for fixing the issue.
References

security/core#14