CIVI-SA-2016-23 Unescaped html in entity reference fields

Submitted by seamuslee on December 1, 2016 - 15:23
Security Risk: 
Critical
Vulnerability: 
Cross Site Scripting
Affected Versions: 
  • 4.7.13 and earlier
  • 4.6.23 and earlier
Fixed Versions: 
  • 4.7.14
  • 4.6.24
Publication Date: 
Friday, December 2, 2016
Description: 

When displaying entity reference fields, the labels were not properly being escaped.

Solutions: 

Update to the latest version of CiviCRM

  • 4.6.24
  • 4.7.14

If you cannot upgrade apply the following patch https://github.com/civicrm/civicrm-core/pull/9482/files

Credits: 

Coleman Watts for raising the issue and providing a fix.

References: 

Issue CRM-19709

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Make your next CiviCRM implementation a Success.
Find an Expert

© 2005 - 2018, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.