CIVI-SA-2019-06: XSS in Contact Entity Reference Fields

Gepubliceerd
2019-02-20 09:00
Written by

When Contact entity fields are added to forms, the display name label wasn't properly sanitised.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM versions 5.10.2 and earlier

Fixed Versions

CiviCRM version 5.10.3 and 5.7.4

Solutions

Upgrade to the latest CiviCRM Version

Credits

Sean Colsen of Left Join Labs for reporting the issues

Seamus Lee of Australian Greens for fixing the issue.

References

security/core#9