CIVI-SA-2019-05: XSS in "New Pledge" form

Pubblicato
2019-02-20 09:00
Written by

The "Currency" element of a new pledge was not properly validated, which could potentially lead to a cross-site scripting attack.

Security Risk
Less Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM Versions 5.10.2 and earlier

Fixed Versions

CiviCRM Version 5.10.3 and 5.7.4

Solutions

Upgrade to the latest version of CiviCRM

Credits

Patrick Figel of Greenpeace for reporting and fixing the issue

References

security/core#16