CIVI-SA-2018-02: Reflected XSS in Reports

Publicado
2018-07-18 09:00
Written by

When generating a report, users are able to pass filters in the URL. Some filters in contribution reports were not properly escaped. Additionally, on systems that enabled developer output for reports, the developer outputs were not properly escaped.

Extended Reports Extension:

For those CiviCRM users that use the extended reports extension, the CiviCRM Security Team advise that you should upgrade to the latest version of the extended report extension if possible. The extension from version 2.6 onwards will only with CiviCRM versions 4.7+. For of versions before 4.7, the CiviCRM Security Team advises that users should uninstall the extension on their systems.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

Fixed Versions

CiviCRM version 5.3.1 and 4.6.38 (and later)

Solutions

Update to the latest version of CiviCRM

If you cannot upgrade then apply the following patch:

https://gist.github.com/seamuslee001/fca5d9f13dc81e050bb2908fc85bbbec

Credits
Patrick Figel of Greenpeace for reporting the issue.
 
Eileen McNaugton of Wikimedia Foundation and Sean Madsen of Left Join Labs for fixing the issue.
References

security/core#1