CIVI-SA-2020-04: Cross Site Scripting within CiviCase Reports
CiviCRM did not properly purify the content of the note fields attached to CiviCase activities when generating Case Reports or viewing the Case Activity
CiviCRM did not properly purify the content of the note fields attached to CiviCase activities when generating Case Reports or viewing the Case Activity
Backend users may be able to upload and execute a maliciously crafted "PHAR" file.
The "PharExtensionInterceptor" library from Typo3 addresses this problem. Many projects - including the current Drupal and Joomla releases - already activate this protection and are already secure. However, some environments - such as WordPress - do not have it. This update extends the protection to all CiviCRM-supported environments.
Using a carefully crafted request, a backend user could determine the API credentials of another user.
When processing a CiviCRM API request, the entity name was not properly validated. This could potentially lead to loading an arbitrary file on the server.
This extension provides a number of useful features to complement/improve the CiviEvent component in CiviCRM. It provides a more useful replacement for the event template functionality.
Back in September 2019, we had announced a plan to upgrade the content management system (CMS) running the civicrm.org website, as well as plans to make civicrm.org available in many languages. Today I'm happy to announce that we have reached a major milestone: most of the static content, user logins, blogs and many CiviCRM forms are now being served from Drupal8.
As a CRM for nonprofits, CiviCRM excels at both contact management and contribution management. What ties these two together and makes CiviCRM shine is its ability to take payments online and offline in a very flexible manner.
The Paid Issue Queue (PIQ) is a system by which new features and bug fixes may be prioritized by providing direct financial support. It is coordinated by the CiviCRM Core Team and all work performed is done by the Core Team or by individuals they designate. All work is licensed under the GNU Affero General Public License
CiviCon brings together prospective and current end-users, administrators and developers of CiviCRM for content-rich discussions, lectures and networking. Sharpen your skills and get involved in the community.
If you're looking for a one-day event in cities around the world, check out our upcoming CiviCamps.
The CiviCRM trademark policy and brand usage policy are designed to foster growth and encourage responsible use without unnecessary burden. Both policies have been developed with the following goals in mind: