CIVI-SA-2024-04: Copy / Clone Actions (CSRF)
In some parts of the CiviCRM administrative interface, the "Copy" or "Clone" actions are vulnerable to cross-site request forgery.
In some parts of the CiviCRM administrative interface, the "Copy" or "Clone" actions are vulnerable to cross-site request forgery.
Next year, CiviCRM will celebrate 20 years of existence! And while some things have changed dramatically in both the community and software, our mission has remained the same: to ensure that all organizations, regardless of size, budget or focus, can access a world-class CRM.
Our commitment to this mission is as strong as ever and is, in fact, a primary driver behind an impending change in how we present CiviCRM via https//civicrm.org, its primary marketing channel.
At CiviCamp Hamburg at the start of June it was nice to finally share for the first time a project to improves how CiviCRM looks I've been working on for several years, alongside Rich 'Artful Robot' Lott and in close discussion with the core team. With the related extension just reaching version 0.7, after resolving dozens of issues raised during the Sprint, it feels time to introduce it to the wider community.
CiviCRM uses the Smarty template system for high-trust content (built-in template files, written by developers) and low-trust content (user-supplied templates, written by back-office users). Low-trust content is subject to sandboxing, but there were issues in how this was applied.
Web-pages which use the "Resources" API to inject JSON data ("settings") may create vectors for XSS attacks.
Within the "View Contact" screen and its sub-pages, there were multiple cross-site scripting vulnerabilities.
What’s this DocBot all about? Well, in short, it’s an AI-based bot that puts the end user, developer and system administrator documentation into a CiviCRM extension that allows fast, efficient Q&A style searches. Basically, it puts the entire CiviCRM documentation at your fingertips, providing answers and how-to style guidance in-app.
Don’t worry… the docs are NOT going away! In fact, they are as important as ever!
It’s been a few months since Mathieu reworked version 1 of the contributor listing using SearchKit. You can see it in action at https://civicrm.org/civicrm/contributors
Let me start by saying that it isn’t perfect, meaning that it doesn’t capture every contribution from every corner of the CiviVerse, nor will it display past contributors that are now inactive (at least not without them following the process detailed below).