Gepubliceerd
2019-11-20 09:00
When loading dashboard dashlets, the system did not properly ensure that the title of the dashlets was properly escaped.
Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions
- CiviCRM before 5.19.2 and before 5.13.7
Fixed Versions
- CiviCRM 5.19.2 and 5.13.7
Solutions
Upgrade to the latest version of CiviCRM
Credits
Daniel Compton of Armadillo Sec Ltd for reporting the issue
Patrick Figel of Greenpeace CEE and Seamus Lee of Australian Greens for fixing the issue
References
security/core#65