CIVI-SA-2018-02: Reflected XSS in Reports

When generating a report, users are able to pass filters in the URL. Some filters in contribution reports were not properly escaped. Additionally, on systems that enabled developer output for reports, the developer outputs were not properly escaped.

Extended Reports Extension:

For those CiviCRM users that use the extended reports extension, the CiviCRM Security Team advise that you should upgrade to the latest version of the extended report extension if possible. The extension from version 2.6 onwards will only with CiviCRM versions 4.7+. For of versions before 4.7, the CiviCRM Security Team advises that users should uninstall the extension on their systems.

Security Risk

Critical

Vulnerability

Cross Site Scripting

Affected Versions

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

Fixed Versions

CiviCRM version 5.3.1 and 4.6.38 (and later)

Solutions

Update to the latest version of CiviCRM

If you cannot upgrade then apply the following patch:

https://gist.github.com/seamuslee001/fca5d9f13dc81e050bb2908fc85bbbec

Credits

Patrick Figel of Greenpeace for reporting the issue.

Eileen McNaugton of Wikimedia Foundation and Sean Madsen of Left Join Labs for fixing the issue.

References

security/core#1

CIVI-SA-2018-02: Reflected XSS in Reports

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2018-02: Reflected XSS in Reports

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM