CIVI-SA-2024-06: Source and Name Fields (XSS)

Gepubliceerd

2024-10-16 12:00

Written by

dev-team

There are stored cross-site scripting vulnerabilities involving some variations of the "name" and "source" fields in certain backend screens.

Security Risk

Critical

Vulnerability

Cross Site Scripting

Affected Versions

CiviCRM versions 5.78.1 and earlier

Fixed Versions

CiviCRM versions 5.78.2 and 5.75.4 (ESR)

Publication Date

2024-10-16 - 12:00

Solutions

Upgrade to the latest CiviCRM version

Credits

Reporter: Seamus Lee of JMA Consulting & CiviCRM Core Team
Development/Review: Seamus Lee of JMA Consulting & CiviCRM Core Team, Tim Otten of CiviCRM Core Team, Patrick Figel of Greenpeace Central and Eastern Europe, Kevin Cristiano of Tadpole Collective

References

security/core#134

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2024-06: Source and Name Fields (XSS)

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2024-06: Source and Name Fields (XSS)

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM