CIVI-SA-2021-01: Reflected Cross Site Scripting via Uploaded CSVs

Publicado
2021-03-09 09:00
Written by

When importing data from CSV, the user's browser could be tricked into executing Javascript.

This vulnerability does not escalate the permissions of the user. However, if the user imports data from another application/system, then it could be used for an attack.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM versions 5.35.0 and earlier

Fixed Versions

CiviCRM version 5.35.1 and ESR version 5.33.3

Publication Date
Solutions

Any ONE of these solutions would be sufficient:

  • Upgrade to the latest version of CiviCRM
  • Refrain from importing CSVs with data that you did not directly generate yourself.
Credits

Reported by Pradeep Nayak of Circle Interactive

Fixed by Seamus Lee of JMA Consulting / CiviCRM Core Team 

Funded by Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH

References

security/core#100