CIVI-SA-2015-002 - Reflected XSS in AJAX callbacks

Cross-Site Scripting (XSS) is a technique used to embed malicious content into the resulting web page. As such, it is pertinent to note that this class of attack targets end-users rather than the web application itself. When this attack is considered “reflected”, a user requests a web page with a payload which is embedded within a crafted hyperlink or a malicious page.

Certain AJAX callbacks in CiviCRM did not properly encode their outputs - making them vulnerable to cross-site scripting attacks.

Security Risk

Moderately Critical

Vulnerability

Cross Site Scripting

Affected Versions

CiviCRM v4.5.0 - v4.5.6

CiviCRM v4.4.0 - v4.4.12

CiviCRM v4.3.0 - v4.3.10

CiviCRM v4.2.0 - v4.2.19

(Older versions: Unassessed)

Fixed Versions

CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, and v4.2.20+

Solutions

Upgrade to CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, or v4.2.20+

Credits

Sergey Ozernikov (Lateral Security)
Chris Burgess and Eileen McNaughton (Fuzion)
Peter Haight (Giant Rabbit)
Tim Otten (CiviCRM)

CIVI-SA-2015-002 - Reflected XSS in AJAX callbacks

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2015-002 - Reflected XSS in AJAX callbacks

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM