Security Risk:
Not Critical
Vulnerability:
Other
Affected Versions:
Up to v4.7.21
Fixed Versions:
v4.7.21
Publication Date:
Wednesday, July 5, 2017
Description:
CiviCRM includes a number of Javascript libraries. An automated assessment indicated that some these libraries had security issues. CiviCRM v4.7.21+ upgrades or removes multiple libraries.
Unfortunately, we could not obtain sufficient information about these issues to determine whether they cause actual vulnerabilities in CiviCRM.
Solutions:
Any ONE of these solutions:
- Upgrade to v4.7.21+
-
Backport several patches:
- Apply https://github.com/civicrm/civicrm-core/pull/10425
- Apply https://github.com/civicrm/civicrm-core/pull/10494
- Apply https://github.com/civicrm/civicrm-core/pull/10495
- Apply https://github.com/civicrm/civicrm-packages/pull/188
- Execute bower and composer to install the updated libraries
Credits:
- Chris Burgess (Fuzion)
- Seamus Lee (Australian Greens)
- Tim Otten (CiviCRM)