Publicado
2025-12-17 12:00
The "Accounting Batch" interface is vulnerable to a cross-site scripting issue.
Exploiting this vulnerability requires permission create manual batch.
Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions
CiviCRM v6.9.0 and earlier
Fixed Versions
CiviCRM v6.9.1, v6.4.2 (ESR), and later
Publication Date
Solutions
Any ONE of the following will mitigate the vulnerability:
- Upgrade to a fixed version of CiviCRM, or...
- Manually apply the patch from https://lab.civicrm.org/-/snippets/102, or...
- Manually edit the file
templates/CRM/Financial/Page/BatchTransaction.tpl. Near the end, change.html(val)to.text(val). Or... - Limit the users/roles with permission
create manual batch. Only grant this permission to trusted administrators.
Credits
Luke Stewart (Fuzion), Seamus Lee (JMA Consulting/CiviCRM), Luke Hebenstreit
CVE
CVE-2025-65187
