CIVI-SA-2016-23 Unescaped html in entity reference fields

Published

2016-12-01 15:23

Written by

seamuslee

When displaying entity reference fields, the labels were not properly being escaped.

Security Risk

Critical

Vulnerability

Cross Site Scripting

Affected Versions

4.7.13 and earlier
4.6.23 and earlier

Fixed Versions

4.7.14
4.6.24

Solutions

Update to the latest version of CiviCRM

4.6.24
4.7.14

If you cannot upgrade apply the following patch https://github.com/civicrm/civicrm-core/pull/9482/files

Credits

Coleman Watts for raising the issue and providing a fix.

References

Issue CRM-19709

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2025, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D10]

CIVI-SA-2016-23 Unescaped html in entity reference fields

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2016-23 Unescaped html in entity reference fields

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM