FormBuilder: Support for Contributions
One of the most powerful and important features of FormBuilder is arguably the most complex, hence why we’ve been patient (some might say ‘slow’) in its implementation. We’re talking about support for contributions, i.e. processing payments, in FormBuilder
But, as the saying goes in the great country of Texas, it’s time to “take the bull by the horns”.
Exciting, we know, though maybe not for the bull. Anyhow, before we get saddled up, let’s set a few expectations up front:
CiviCamp Montreal, Canada 2024

26 February - 3 March 2024
Little BIC 1.7.6
<extension key="org.project60.bic" type="module">
<file>bic</file>
<name>Little BIC extension</name>
<description>Generates and maintains a list of banks</description>
<license>APGLv3</license>
<maintainer>
<author>B. Endres</author>
<email>endres@systopia.de</email>
</maintainer>
<releaseDate>2023-08-02</releaseDate>
<version>1.7.6</version>
<develStage>stable</develStage>
<urls>
<url desc="Main Extension Page">https://github.com/Project60/org.project60.bic</url>
<url desc="Documentation">https://github.com/Project60/org.project60.bic/blob/master/README.md</url>
<url desc="Support">https://github.com/Project60/org.project60.bic/issues/new</url>
</urls>
<requires>
<php>>=7.3.0 <8.0.0</php>
</requires>
<comments>Originally Developed by Carlos Capote and Björn Endres</comments>
<civix>
<namespace>CRM/Bic</namespace>
</civix>
<classloader>
<psr4 prefix="Civi\" path="Civi" />
</classloader>
</extension>
CIVI-PSA-2023-01: Smarty v2 Audit
CiviCRM includes the Smarty v2 templating engine. Templates are defined by core code, by third-party extensions, and by configurable content. The upstream smarty.net
project has stopped publishing security backports for Smarty v2, so civicrm.org
will do so (until a migration to a newer Smarty is complete).
As part of this, the CiviCRM security team has done a detailed audit to compare recent issues from v2/v3/v4.
CIVI-SA-2023-15: CiviEvent XSS
CiviEvent included multiple screens with a vulnerability to cross-site scripting (XSS).
CIVI-SA-2023-14: Contact Image CSRF
Some administrative actions for "Contact" profile-images lacked sufficient validation, making them vulnerable to a cross-site request forgery (CSRF).
CIVI-SA-2023-13: Survey XSS
In CiviCampaign, the "Survey" functionality includes a field that may be vulnerable to cross-site scripting (XSS).
CIVI-SA-2023-12: jQuery Validation DoS
The package "jquery-validation" may be vulnerable to a Denial of Service (DoS) involving its handling of regular expressions.
We have not identified an attack scenario affecting CiviCRM, but the update appears to be a safe and sensible precaution.
CIVI-SA-2023-11: Select2 XSS
Select2 is an auto-complete widget. In multiple places where CiviCRM uses Select2, it was vulnerable to stored cross-site scripting (XSS) attack.
(We believe that exploiting this requires that both the attacker and the victim have a high-level of access to the same CiviCRM deployment.)