CIVI-SA-2019-18: XSS in CiviCRM installer

Publicado
2019-05-15 09:00
Written by

When determining the installer type that is being used, the variable was not properly validated to ensure that it was ony one of a specific set of installer types.

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

CIviCRM 5.13.0 and earlier

Fixed Versions

CiviCRM version 5.13.4 and 5.7.6

Solutions

Upgrade to the latest version of CiviCRM

Credits

Patrick Figel of Greenpeace for reporting the issue

Seamus Lee of Australian Greens for fixin the issue

References

security/core#52