CIVI-SA-2021-04: Cross Site Scripting in the APIv4 Explorer

Gepubliceerd
2021-03-09 09:00
Written by

When generating the example code in the APIv4 Explorer, the user entered data was not properly sanitised before displaying as example code within the Explorer.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM versions 5.35.0 and earlier

Fixed Versions

CiviCRM version 5.35.1 and ESR version 5.33.3

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Coleman Watts of CiviCRM Core team for reporting and Fixing the issue.

Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH for funding the fix

References

security/core!135