CiviCRM | Open source constituent relationship management for non-profits, NGOs and advocacy organizations.

CIVI-SA-2020-03: PHP Code Execution via Phar Deserialization

Published

2020-04-15 12:00

Written by

dev-team

Read more about CIVI-SA-2020-03: PHP Code Execution via Phar Deserialization

Backend users may be able to upload and execute a maliciously crafted "PHAR" file.

The "PharExtensionInterceptor" library from Typo3 addresses this problem. Many projects - including the current Drupal and Joomla releases - already activate this protection and are already secure. However, some environments - such as WordPress - do not have it. This update extends the protection to all CiviCRM-supported environments.

CIVI-SA-2020-02: API Key Disclosure

Published

2020-04-15 12:00

Written by

dev-team

Read more about CIVI-SA-2020-02: API Key Disclosure

Using a carefully crafted request, a backend user could determine the API credentials of another user.

CIVI-SA-2020-01: Improve Entity Name sanitisation when used as part of API

Published

2020-04-15 12:00

Written by

dev-team

Read more about CIVI-SA-2020-01: Improve Entity Name sanitisation when used as part of API

When processing a CiviCRM API request, the entity name was not properly validated. This could potentially lead to loading an arbitrary file on the server.

Advanced Events

Reviewed Extension

Active Installs

169

Download

Last updated: 2024-03-06

Works with CiviCRM 5.65 or higher.

This extension provides a number of useful features to complement/improve the CiviEvent component in CiviCRM. It provides a more useful replacement for the event template functionality.

Progress on the civicrm.org Drupal8 upgrade

Published

2020-04-05 16:25

Written by

bgm - member of the CiviCRM community and Core Team member - about the Core Team

Back in September 2019, we had announced a plan to upgrade the content management system (CMS) running the civicrm.org website, as well as plans to make civicrm.org available in many languages. Today I'm happy to announce that we have reached a major milestone: most of the static content, user logins, blogs and many CiviCRM forms are now being served from Drupal8.

Taking Payments in CiviCRM

Read more about Taking Payments in CiviCRM

Taking Payments In CiviCRM

As a CRM for nonprofits, CiviCRM excels at both contact management and contribution management. What ties these two together and makes CiviCRM shine is its ability to take payments online and offline in a very flexible manner.

Paid Issue Queue

The Paid Issue Queue (PIQ) is a system by which new features and bug fixes may be prioritized by providing direct financial support. It is coordinated by the CiviCRM Core Team and all work performed is done by the Core Team or by individuals they designate. All work is licensed under the GNU Affero General Public License

Read more about Paid Issue Queue

Join us at CiviCon

CiviCon brings together prospective and current end-users, administrators and developers of CiviCRM for content-rich discussions, lectures and networking. Sharpen your skills and get involved in the community.

If you're looking for a one-day event in cities around the world, check out our upcoming CiviCamps.

Read more about Join us at CiviCon

Trademark

CiviCRM Trademark & Brand Usage Policy

The CiviCRM trademark policy and brand usage policy are designed to foster growth and encourage responsible use without unnecessary burden. Both policies have been developed with the following goals in mind:

Read more about Trademark

Ask a question

Want to find out if CiviCRM is right for you? Maybe you're already using it and need help with a particular feature, or maybe you'd like some expert opinion on the way that you have your CiviCRM configured.

Ask questions and get them answered for free by CiviCRM experts on our CiviCRM Question and Answer site powered by stack exchange. You'll receive multiple answers from experienced users and CiviCRM experts from around the world.

Read more about Ask a question

CIVI-SA-2020-03: PHP Code Execution via Phar Deserialization

CIVI-SA-2020-02: API Key Disclosure

CIVI-SA-2020-01: Improve Entity Name sanitisation when used as part of API

Advanced Events

Progress on the civicrm.org Drupal8 upgrade

Taking Payments in CiviCRM

Taking Payments In CiviCRM

Paid Issue Queue

Join us at CiviCon

Trademark

CiviCRM Trademark & Brand Usage Policy

Ask a question

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

Taking Payments In CiviCRM

CiviCRM Trademark & Brand Usage Policy

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM