Important Notice: This is a security release. We recommend you immediately upgrade to one of the following versions:
Below are the security advisories details:
- CIVI-SA-2021-01: Reflected Cross Site Scripting via Uploaded CSVs
- CIVI-SA-2021-02: Web Executable Utility Scripts
- CIVI-SA-2021-03: Cross Site Scripting in "Manage Extensions"
- CIVI-SA-2021-04: Cross Site Scripting in the APIv4 Explorer
- CIVI-SA-2021-05: Reflected Cross Site Scripting in Personal Campaign Pages
- CIVI-SA-2021-06: Timing Attacks Against the Site Key
- CIVI-SA-2021-07: SQL injection in Joomla user integration
Additionally, there are a few small patches for recent regressions. For full information, see the release notes for 5.35.1 and 5.33.3 ESR.
The CiviCRM Security Team would also like to make people aware about a public service announcement in regards to changes to cryptography handling in CiviCRM
We would also like to thank Deutsche Gesellschaft für Internationale Zusammenarbeit GmbH for funding this security release.
Support CiviCRM
We are committed to keeping CiviCRM free and open, forever. We depend on your support to help make that happen.
- Make a donation or contribute to a Make it happen campaign.
- If your organization wants to support our work, please become a member today.
- If you are a CiviCRM service provider, please become a partner.