CIVI-SA-2017-04: Incorrect escaping for "On Behalf Of" block

Gepubliceerd
2017-07-05 23:00
Written by

In CiviContribute forms which combine the "On Behalf Of" feature with "Organization" records, some data was not properly escaped.

Security Risk
Less Critical
Vulnerability
Cross Site Scripting
Affected Versions
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions
  • 4.7.21
  • 4.6.29
Solutions

Upgrade to the latest version of CiviCRM

If you cannot upgrade then apply the following patch

Credits

Alan Dixon of Blackfly Solutions for reporting and fixing the issue