CIVI-SA-2013-002 - OpenFlashChart XSS

2013-06-05 09:17
Written by
totten - member of the CiviCRM community - view blog guidelines

OpenFlashChart is a library used to render dashboards and reports in CiviCRM v3+. The library includes a program written for Adobe Flash which accepts data via query string. The data is not properly sanitisized. If an attacker provides an authorized user with a maliciously constructed link, the attacker can cause the user to execute arbitrary JavaScript code.

Security Risk
Moderately Critical
Cross Site Scripting
Affected Versions

CiviCRM v3.1.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions

CiviCRM v4.2.10 and v4.3.4


Any ONE of the following solutions will provide protection:

  • Upgrade to CiviCRM v4.3.4 or 4.2.10
  • Upgrade the OpenFlashChart program included with your version of CiviCRM by downloading a security update and replacing the file "packages/OpenFlashChart/open-flash-chart.swf"
  • Remove the file "packages/OpenFlashChart/open-flash-chart.swf". (This will break reports and dashboards.)