CIVI-SA-2024-06: Source and Name Fields (XSS)

Közzétéve
2024-10-16 12:00
Written by

There are stored cross-site scripting vulnerabilities involving some variations of the "name" and "source" fields in certain backend screens.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM versions 5.78.1 and earlier

Fixed Versions

CiviCRM versions 5.78.2 and 5.75.4 (ESR)

Publication Date
Solutions

Upgrade to the latest CiviCRM version

Credits
  • Reporter: Seamus Lee of JMA Consulting & CiviCRM Core Team
  • Development/Review: Seamus Lee of JMA Consulting & CiviCRM Core Team, Tim Otten of CiviCRM Core Team, Patrick Figel of Greenpeace Central and Eastern Europe, Kevin Cristiano of Tadpole Collective
References

security/core#134