CiviCRM includes the Smarty v2 templating engine. Templates are defined by core code, by third-party extensions, and by configurable content. The upstream smarty.net project has stopped publishing security backports for Smarty v2, so civicrm.org will do so (until a migration to a newer Smarty is complete).

As part of this, the CiviCRM security team has done a detailed audit to compare recent issues from v2/v3/v4.

CiviEvent included multiple screens with a vulnerability to cross-site scripting (XSS).

Some administrative actions for "Contact" profile-images lacked sufficient validation, making them vulnerable to a cross-site request forgery (CSRF).

In CiviCampaign, the "Survey" functionality includes a field that may be vulnerable to cross-site scripting (XSS).

The package "jquery-validation" may be vulnerable to a Denial of Service (DoS) involving its handling of regular expressions.

We have not identified an attack scenario affecting CiviCRM, but the update appears to be a safe and sensible precaution.

Select2 is an auto-complete widget. In multiple places where CiviCRM uses Select2, it was vulnerable to stored cross-site scripting (XSS) attack.

(We believe that exploiting this requires that both the attacker and the victim have a high-level of access to the same CiviCRM deployment.)

A problematic code pattern was found in ~8 places. Any of these places could be vulnerable a SQL injection (SQLI) attack. However, it is believed that most or all have mitigating factors that prevent exploits.

Users with access APIv3 or APIv4 via any medium (including web-browser) may be able to execute an SQL injection (SQL) attack.

KCFinder provides a file-management dialog for CKEditor 4. It included two vulnerabilities:

1. It allowed a "reflected" cross-site scripting (XSS) attack.
2. It bypassed a CiviCRM policy option which limits file-uploads. (This bypass was still subject to other restrictions. The likely impact is to allow a "stored" XSS attack. However, it is possible for there to be other impacts.)

Template authors can perform remote code execution (RCE) with a specially crafted call to the {math} function.

(This issue was identified as part of a general audit of Smarty v2, CIVI-PSA-2023-01.)