Cross-Site Scripting (XSS) is a technique used to embed malicious content into the resulting web page. As such, it is pertinent to note that this class of attack targets end-users rather than the web application itself. When this attack is considered “reflected”, a user requests a web page with a payload which is embedded within a crafted hyperlink or a malicious page.
Certain AJAX callbacks in CiviCRM did not properly encode their outputs - making them vulnerable to cross-site scripting attacks.
CiviCRM v4.5.0 - v4.5.6
CiviCRM v4.4.0 - v4.4.12
CiviCRM v4.3.0 - v4.3.10
CiviCRM v4.2.0 - v4.2.19
(Older versions: Unassessed)
CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, and v4.2.20+
Upgrade to CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, or v4.2.20+
- Sergey Ozernikov (Lateral Security)
- Chris Burgess and Eileen McNaughton (Fuzion)
- Peter Haight (Giant Rabbit)
- Tim Otten (CiviCRM)