Managing Webinars with CiviCRM

Published
2020-07-17 12:51
Written by

With the new reality of living with Covid-19, it is difficult to host in-person meetings. At Plastic Pollution Coalition, we used to host in-person coalition meetings in several cities as a way for people to learn and network with others in their community. In June, we transitioned to doing webinars. Although it's difficult for people to network during webinars, we can still continue sharing best practices and have a dialogue with our community.

(logged-in users can click thumbs up if they thought this blog post was useful) (login to vote or to comment)

CIVI-PSA-2023-01: Smarty v2 Audit

Published
2023-09-06 23:59
Written by

CiviCRM includes the Smarty v2 templating engine. Templates are defined by core code, by third-party extensions, and by configurable content. The upstream smarty.net project has stopped publishing security backports for Smarty v2, so civicrm.org will do so (until a migration to a newer Smarty is complete).

As part of this, the CiviCRM security team has done a detailed audit to compare recent issues from v2/v3/v4.

CIVI-SA-2023-08: KCFinder XSS

Published
2023-09-06 12:00
Written by

KCFinder provides a file-management dialog for CKEditor 4. It included two vulnerabilities:

  1. It allowed a "reflected" cross-site scripting (XSS) attack.
  2. It bypassed a CiviCRM policy option which limits file-uploads. (This bypass was still subject to other restrictions. The likely impact is to allow a "stored" XSS attack. However, it is possible for there to be other impacts.)