CIVI-SA-2020-14: XSS in Profile Description field

Veröffentlicht
2020-08-19 09:00
Written by

In certain screens, the Profile "Description" field was not properly escaped to prevent cross site scripting.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM version 5.28.0 and earlier

Fixed Versions

CiviCRM version 5.28.1 and 5.27.5 ESR

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Ben Hubbard of Armadillo Security for reporting the issue
Seamus Lee of CiviCRM Core Team for fixing the issue

References

security/core#96