CIVI-SA-2020-06: SQLI in Query Builder
Published
2020-04-15 12:00
When constructing contact search queries, values for certain fields were not properly escaped -- allowing for SQL injection.
CIVI-SA-2020-05: SQL Injection in Campaign Summary and Delete Activity
Published
2020-04-15 12:00
When constructing the SQL queries for deleting activities or getting summary information about CiviCampaigns, there was inadequate escaping of SQL variables that were passed in from request parameters.
CIVI-SA-2020-04: Cross Site Scripting within CiviCase Reports
Published
2020-04-15 12:00
CiviCRM did not properly purify the content of the note fields attached to CiviCase activities when generating Case Reports or viewing the Case Activity
CIVI-SA-2020-03: PHP Code Execution via Phar Deserialization
Published
2020-04-15 12:00
Backend users may be able to upload and execute a maliciously crafted "PHAR" file.
The "PharExtensionInterceptor" library from Typo3 addresses this problem. Many projects - including the current Drupal and Joomla releases - already activate this protection and are already secure. However, some environments - such as WordPress - do not have it. This update extends the protection to all CiviCRM-supported environments.
CIVI-SA-2020-02: API Key Disclosure
Published
2020-04-15 12:00
Using a carefully crafted request, a backend user could determine the API credentials of another user.
CIVI-SA-2020-01: Improve Entity Name sanitisation when used as part of API
Published
2020-04-15 12:00
When processing a CiviCRM API request, the entity name was not properly validated. This could potentially lead to loading an arbitrary file on the server.
Advanced Events
Active Installs
This extension provides a number of useful features to complement/improve the CiviEvent component in CiviCRM. It provides a more useful replacement for the event template functionality.
Progress on the civicrm.org Drupal8 upgrade
Published
2020-04-05 16:25
Back in September 2019, we had announced a plan to upgrade the content management system (CMS) running the civicrm.org website, as well as plans to make civicrm.org available in many languages. Today I'm happy to announce that we have reached a major milestone: most of the static content, user logins, blogs and many CiviCRM forms are now being served from Drupal8.
Taking Payments in CiviCRM
Taking Payments In CiviCRM
As a CRM for nonprofits, CiviCRM excels at both contact management and contribution management. What ties these two together and makes CiviCRM shine is its ability to take payments online and offline in a very flexible manner.
Paid Issue Queue
The Paid Issue Queue (PIQ) is a system by which new features and bug fixes may be prioritized by providing direct financial support. It is coordinated by the CiviCRM Core Team and all work performed is done by the Core Team or by individuals they designate. All work is licensed under the GNU Affero General Public License
WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM
Make your next CiviCRM implementation a Success.
