The "Schedule Jobs" page was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into executing a job on the CiviCRM site.
When constructing contact search queries, values for certain fields were not properly escaped -- allowing for SQL injection.
When constructing the SQL queries for deleting activities or getting summary information about CiviCampaigns, there was inadequate escaping of SQL variables that were passed in from request parameters.
CiviCRM did not properly purify the content of the note fields attached to CiviCase activities when generating Case Reports or viewing the Case Activity
Backend users may be able to upload and execute a maliciously crafted "PHAR" file.
The "PharExtensionInterceptor" library from Typo3 addresses this problem. Many projects - including the current Drupal and Joomla releases - already activate this protection and are already secure. However, some environments - such as WordPress - do not have it. This update extends the protection to all CiviCRM-supported environments.
Using a carefully crafted request, a backend user could determine the API credentials of another user.
When processing a CiviCRM API request, the entity name was not properly validated. This could potentially lead to loading an arbitrary file on the server.
This extension provides a number of useful features to complement/improve the CiviEvent component in CiviCRM. It provides a more useful replacement for the event template functionality.
Back in September 2019, we had announced a plan to upgrade the content management system (CMS) running the civicrm.org website, as well as plans to make civicrm.org available in many languages. Today I'm happy to announce that we have reached a major milestone: most of the static content, user logins, blogs and many CiviCRM forms are now being served from Drupal8.
As a CRM for nonprofits, CiviCRM excels at both contact management and contribution management. What ties these two together and makes CiviCRM shine is its ability to take payments online and offline in a very flexible manner.
