CIVI-SA-2016-23 Unescaped html in entity reference fields

Publié
2016-12-01 15:23
Written by

When displaying entity reference fields, the labels were not properly being escaped.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions
  • 4.7.13 and earlier
  • 4.6.23 and earlier
Fixed Versions
  • 4.7.14
  • 4.6.24
Solutions

Update to the latest version of CiviCRM

  • 4.6.24
  • 4.7.14

If you cannot upgrade apply the following patch https://github.com/civicrm/civicrm-core/pull/9482/files

Credits

Coleman Watts for raising the issue and providing a fix.

References