With the new reality of living with Covid-19, it is difficult to host in-person meetings. At Plastic Pollution Coalition, we used to host in-person coalition meetings in several cities as a way for people to learn and network with others in their community. In June, we transitioned to doing webinars. Although it's difficult for people to network during webinars, we can still continue sharing best practices and have a dialogue with our community.
A vulnerability in processing APIv3 AJAX requests could allow a malicious request to bypass permission checks.
8/10th - 12th October 2022
CiviCRM Manchester 2022
The "dompdf" library has a vulnerability which allows remote code execution. It may be exploited by some backend users.
The exact degree of exploitability for CiviCRM has not been determined.
jQuery UI v1.12 included multiple cross-site scripting vulnerabilities.
It has not been demonstrated that CiviCRM specifically is exploitable. However, it is possible that third-party extensions could use jQuery UI in a vulnerable fashion.
This is not a security vulnerability. It is a mitigation to protect against misconfiguration.
CiviCRM includes a large number of configurable permissions. Administrators may assign these permissions to various users and roles. This is powerful functionality that accommodates diverse needs, but it provides the opportunity for misconfiguration.
Misconfigurations may arise for a few reasons, such as:
When importing "Participant" records for CiviEvent, some inputs were not suitably escaped.
When accessing the Contribution View page insufficient permission checking was occurring which meant that if you knew the url and had the access CiviCRM permission you would be able to view contribution information that you shouldn't have.
A few weeks prior to 24 February, I’d given up reading the news. It was a very happy time. Since Russia’s invasion of Ukraine, it’s been hard not to jump back into my Google news feed and periodically check in at NPR. Given the rise of misinformation over the past few years, it’s hard to know what is accurate and what isn’t, so much of what I read I take with a grain of salt.