Published: Lun, 22 Mar 2021 01:59:30 -0700
(This is a public service announcement related to security functionality. It does not detail an exploitable vulnerability. Rather, we wish to advise administrators and developers about an on-going change to improve security.)
CiviCRM v3.1 introduced a helper "CRM_Utils_Crypt" which encrypted the SMTP password. This mechanism is being phased-out circa 5.34 in favor of a more secure mechanism. We will briefly consider the purpose of the mechanism, some of its issues, and the details of the change.
Published: Jue, 11 Mar 2021 09:00:07 -0800
In the Joomla integration, some references to user-account records were not properly sanitized.
Published: Mar, 09 Mar 2021 09:00:06 -0800
CiviCRM's REST API traditionally requires two keys, the "API Key" and the "Site Key". The "Site Key" could potentially be extracted by a "timing attack". In this scenario, an attacker would send many invalid requests, build a statistical profile, and infer the most likely value.
Published: Mar, 09 Mar 2021 09:00:05 -0800
The introduction text on a Personal Campaign Page (PCP) was not properly sanitised prior to display on the Personal Campaign page.
Published: Mar, 09 Mar 2021 09:00:04 -0800
When generating the example code in the APIv4 Explorer, the user entered data was not properly sanitised before displaying as example code within the Explorer.
Published: Mar, 09 Mar 2021 09:00:03 -0800
The "Manage Extensions" screen provides a list of extensions published by third-party developers. If an extension had a malicious description, it could trick the user's browser into executing Javascript code.
Note: To exploit this, an attacker would need to gain control of a trusted developer account, and they would leave evidence in a public feed. At time of writing, there is no known evidence of previous attack. Resolving this issue prevents future attacks.
Published: Mar, 09 Mar 2021 09:00:02 -0800
The development tree for CiviCRM includes a handful of utility scripts in the folders "sql/" and "tools/". These scripts may manipulate data (e.g. generating fake contact records), and they lacked guards to protect from remote/malicious use.
This issue does not affect most deployments which use the standard CiviCRM releases ("*.tar.gz" or "*.zip"). The issue primarily affects developmental/testing systems or highly-customized deployments which directly read from CiviCRM's source code-management system ("git").
Published: Mar, 09 Mar 2021 09:00:01 -0800
When importing data from CSV, the user's browser could be tricked into executing Javascript.
This vulnerability does not escalate the permissions of the user. However, if the user imports data from another application/system, then it could be used for an attack.
Published: Mié, 19 Ago 2020 09:00:19 -0700
In some situations, users without the permission "edit contributions" could edit recurring contributions.
Published: Mié, 19 Ago 2020 09:00:18 -0700
In certain output media, error messages were not properly escaped.
This issue did not lead directly to cross-scripting, but it could lead to other HTML injections.
Published: Mié, 19 Ago 2020 09:00:17 -0700
For each session, CiviCRM stores a private session key. This patch addresses multiple issues which could compromise the strength or security of the key.
Published: Mié, 19 Ago 2020 09:00:16 -0700
The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are
"[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub."
Those advisories are:
Published: Mié, 19 Ago 2020 09:00:15 -0700
In certain screens, the Activity "Subject" field was not properly escaped to prevent cross site scripting.
Published: Mié, 19 Ago 2020 09:00:14 -0700
In certain screens, the Profile "Description" field was not properly escaped to prevent cross site scripting.
Published: Mié, 19 Ago 2020 09:00:13 -0700
In certain screens, the Event "Summary" field was not properly escaped to prevent cross site scripting.
Published: Mié, 19 Ago 2020 09:00:12 -0700
CiviCRM did not provide sufficient protection on the CKEditor configuration form, which could allow user to store and execute Javascript.
Note: This form had another vulnerability in the same version. The risk from two overlapping vulnerabilities may be greater than the risk of each individually.
Published: Mié, 19 Ago 2020 09:00:11 -0700
CiviCRM did not provide sufficient protection on the CKEditor configuration form, which could allow a malicious third-party to trick a CiviCRM administrator into changing the configuration.
Note: This form had another vulnerability in the same version. The risk from two overlapping vulnerabilities may be greater than the risk of each individually.
Published: Mié, 19 Ago 2020 09:00:10 -0700
When viewing an activity, the activity details were not sufficiently filtered to prevent cross-site scripting attacks.
Published: Mié, 19 Ago 2020 09:00:09 -0700
In CiviCRM, an Access Control List (ACL) confers limited access to contact records (based on the membership list for a "Group" of contacts). In configurations with "ACL Smart Groups", a flaw allowed limited backend users to re-define their group criteria and gain elevated access. The fix ensures that only trusted users (with permission "edit groups") may re-define the group criteria.
Published: Mié, 15 Abr 2020 12:00:08 -0700
Two Javascript libraries (QUnit and Google Code Prettify) are used with CiviCRM. These libraries include some assets which can be used in a cross-site scripting attack and which are not required for CiviCRM at runtime.
Published: Mié, 15 Abr 2020 12:00:07 -0700
The "Schedule Jobs" page was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into executing a job on the CiviCRM site.
Published: Mié, 15 Abr 2020 12:00:06 -0700
When constructing contact search queries, values for certain fields were not properly escaped -- allowing for SQL injection.
Published: Mié, 15 Abr 2020 12:00:05 -0700
When constructing the SQL queries for deleting activities or getting summary information about CiviCampaigns, there was inadequate escaping of SQL variables that were passed in from request parameters.
Published: Mié, 15 Abr 2020 12:00:04 -0700
CiviCRM did not properly purify the content of the note fields attached to CiviCase activities when generating Case Reports or viewing the Case Activity
Published: Mié, 15 Abr 2020 12:00:03 -0700
Backend users may be able to upload and execute a maliciously crafted "PHAR" file.
The "PharExtensionInterceptor" library from Typo3 addresses this problem. Many projects - including the current Drupal and Joomla releases - already activate this protection and are already secure. However, some environments - such as WordPress - do not have it. This update extends the protection to all CiviCRM-supported environments.