Published: wo, 19 aug 2020 09:00:11 -0700
CiviCRM did not provide sufficient protection on the CKEditor configuration form, which could allow a malicious third-party to trick a CiviCRM administrator into changing the configuration.
Note: This form had another vulnerability in the same version. The risk from two overlapping vulnerabilities may be greater than the risk of each individually.
Published: wo, 19 aug 2020 09:00:10 -0700
When viewing an activity, the activity details were not sufficiently filtered to prevent cross-site scripting attacks.
Published: wo, 19 aug 2020 09:00:09 -0700
In CiviCRM, an Access Control List (ACL) confers limited access to contact records (based on the membership list for a "Group" of contacts). In configurations with "ACL Smart Groups", a flaw allowed limited backend users to re-define their group criteria and gain elevated access. The fix ensures that only trusted users (with permission "edit groups") may re-define the group criteria.
Published: wo, 15 apr 2020 12:00:08 -0700
Two Javascript libraries (QUnit and Google Code Prettify) are used with CiviCRM. These libraries include some assets which can be used in a cross-site scripting attack and which are not required for CiviCRM at runtime.
Published: wo, 15 apr 2020 12:00:07 -0700
The "Schedule Jobs" page was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into executing a job on the CiviCRM site.
Published: wo, 15 apr 2020 12:00:06 -0700
When constructing contact search queries, values for certain fields were not properly escaped -- allowing for SQL injection.
Published: wo, 15 apr 2020 12:00:05 -0700
When constructing the SQL queries for deleting activities or getting summary information about CiviCampaigns, there was inadequate escaping of SQL variables that were passed in from request parameters.
Published: wo, 15 apr 2020 12:00:04 -0700
CiviCRM did not properly purify the content of the note fields attached to CiviCase activities when generating Case Reports or viewing the Case Activity
Published: wo, 15 apr 2020 12:00:03 -0700
Backend users may be able to upload and execute a maliciously crafted "PHAR" file.
The "PharExtensionInterceptor" library from Typo3 addresses this problem. Many projects - including the current Drupal and Joomla releases - already activate this protection and are already secure. However, some environments - such as WordPress - do not have it. This update extends the protection to all CiviCRM-supported environments.
Published: wo, 15 apr 2020 12:00:02 -0700
Using a carefully crafted request, a backend user could determine the API credentials of another user.
Published: wo, 15 apr 2020 12:00:01 -0700
When processing a CiviCRM API request, the entity name was not properly validated. This could potentially lead to loading an arbitrary file on the server.
Published: wo, 04 dec 2019 09:00:24 -0800
The AJAX end-point for APIv4 was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into performing privileged actions on the CiviCRM site.
Published: wo, 20 nov 2019 09:00:23 -0800
Several CiviCRM fields are stored with an unconventional "HTML-esque" encoding. Consumers which read or write these fields via APIv4 have been prone to mishandling those strings (which can lead to cross-site scripting vulnerabilities and/or quirky outputs). In APIv3, the issue was previously mitigated by automatically transcoding strings. This revision extends the same mitigation to APIv4.
Most APIv4 consumers should automatically become more secure with this update.
Published: wo, 20 nov 2019 09:00:22 -0800
When loading dashboard dashlets, the system did not properly ensure that the title of the dashlets was properly escaped.
Published: wo, 20 nov 2019 09:00:21 -0800
Both the "SavedSearch" and "ReportInstance" APIs accept certain inputs using "serialized" PHP notation. Accepting untrusted values in this notation leads to a "PHP Object Injection" (POI) vulnerability - which can potentially escalate to an "Arbitary Code Execution" vulnerability.
The APIs now accept a restricted subset of "serialized" notation - the APIs will only accept basic data (arrays, strings, numbers, etc). This prohibits PHP object construction and retains backward compatibility with typical API inputs.
Published: wo, 20 nov 2019 09:00:20 -0800
The field "api_key" has special security rules when accessed via the API. These rules could potentially be bypassed and lead to privilege escalation.
Published: wo, 20 nov 2019 09:00:19 -0800
The "dedupefind" endpoint facilitates de-duplication of contacts. The endpoint had a SQL injection vulnerability.
Published: wo, 20 nov 2019 08:59:02 -0800
This SA only affects users of the CiviCase v5 extension. In versions prior to 1.1, the extension did not properly escape the "Subject" field when using the in-place editor.
Published: wo, 15 mei 2019 09:00:18 -0700
When determining the installer type that is being used, the variable was not properly validated to ensure that it was ony one of a specific set of installer types.
Published: wo, 15 mei 2019 09:00:17 -0700
When preparing the query for finding events for the Manage Events page, the event type parameter was not properly escaped.
Published: wo, 15 mei 2019 09:00:16 -0700
When generating a query for finding particular checkbox values, the query was not properly being escaped before being passed onto the database.
Published: wo, 15 mei 2019 09:00:15 -0700
In CiviCRM systems which accept file attachments, a malicious user could perform a cross-site scripting attack. This attack involved accessing the "civicrm/file" path with a forged value in the parameter "&mime-type=...".
The solution involved a few subtle changes in the public-facing contract for "civicrm/file". If you have a customization which relies on this route, you may want to consider the details:
Published: wo, 15 mei 2019 09:00:14 -0700
In CiviCRM APIv3, a generic action ("getOptions") inappropriately propagated an advanced option ("condition") to a lower level function, which effectively allowed a caller to include arbitary SQL conditions. The "getOptions" API will now ignore the "condition" option.
Published: wo, 15 mei 2019 09:00:13 -0700
PHP libraries and applications sometimes have vulnerabilities in which an attacker may inappropriately request construction of an object. The patch in this release does not deal with a specific vulnerability. Rather, it is defense in depth -- it removes an escalation vector by which hypothetical vulnerabilities (in CiviCRM or a related PHP library/application) could become more severe.
Published: wo, 15 mei 2019 09:00:12 -0700
When processing country, state, province, or county references, some values were not properly validated - which enabled a SQL-injection (SQLI) vulnerability.