CiviCRM | Open source constituent relationship management for non-profits, NGOs and advocacy organizations.

CIVI-SA-2023-10: Multiple Potential SQLI

Published

2023-09-06 12:00

Written by

dev-team

Read more about CIVI-SA-2023-10: Multiple Potential SQLI

A problematic code pattern was found in ~8 places. Any of these places could be vulnerable a SQL injection (SQLI) attack. However, it is believed that most or all have mitigating factors that prevent exploits.

CIVI-SA-2023-09: GetFields SQLI

Published

2023-09-06 12:00

Written by

dev-team

Read more about CIVI-SA-2023-09: GetFields SQLI

Users with access APIv3 or APIv4 via any medium (including web-browser) may be able to execute an SQL injection (SQL) attack.

CIVI-SA-2023-08: KCFinder XSS

Published

2023-09-06 12:00

Written by

dev-team

Read more about CIVI-SA-2023-08: KCFinder XSS

KCFinder provides a file-management dialog for CKEditor 4. It included two vulnerabilities:

It allowed a "reflected" cross-site scripting (XSS) attack.
It bypassed a CiviCRM policy option which limits file-uploads. (This bypass was still subject to other restrictions. The likely impact is to allow a "stored" XSS attack. However, it is possible for there to be other impacts.)

CIVI-SA-2023-07: Smarty Math RCE

Published

2023-09-06 12:00

Written by

dev-team

Read more about CIVI-SA-2023-07: Smarty Math RCE

Template authors can perform remote code execution (RCE) with a specially crafted call to the {math} function.

(This issue was identified as part of a general audit of Smarty v2, CIVI-PSA-2023-01.)

London, UK 2023

Read more about London, UK 2023

Tuesday 20th June, 2023

Leipzig, Germany 2023

Read more about Leipzig, Germany 2023

September 11th - 14th, 2023

Brussels, Belgium 2023

Read more about Brussels, Belgium 2023

Friday 2nd June 2023

Manchester, UK 2023

Read more about Manchester, UK 2023

29th November - 8th December 2023

More Greetings - Personalised Strings for all Contacts 1.1.0

Extension

More Greetings - Personalised Strings for all Contacts

Release Date

2023-02-27 - 12:00

Release Version

1.1.0

Release Status

Stable

Release CiviCRM Compatibility

CiviCRM 5.0

Download URL (zip)

https://github.com/systopia/de.systopia.moregreetings/releases/download/1.1.0/d…

Read more about More Greetings - Personalised Strings for all Contacts 1.1.0

XML

<?xml version="1.0"?>
<extension key="de.systopia.moregreetings" type="module">
<file>moregreetings</file>
<name>More Greeting Options</name>
<description>Extension to allow additional, customised greetings</description>
<license>AGPL-3.0</license>
<maintainer>
<author>SYSTOPIA</author>
<email>endres@systopia.de</email>
</maintainer>
<urls>
<url desc="Main Extension Page">https://github.com/systopia/de.systopia.moregreetings</url>
<url desc="Documentation">https://github.com/systopia/de.systopia.moregreetings</url>
<url desc="Support">https://github.com/systopia/de.systopia.moregreetings/issues</url>
<url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
</urls>
<releaseDate>2023-02-27</releaseDate>
<version>1.1.0</version>
<develStage>stable</develStage>
<compatibility>
<ver>5.0</ver>
</compatibility>
<comments></comments>
<civix>
<namespace>CRM/Moregreetings</namespace>
</civix>
</extension>

Release notes

https://github.com/systopia/de.systopia.moregreetings/releases/tag/1.1.0

CiviCRM + WordPress + The Island theme

Published

2023-02-23 08:09

Written by

bgm

Read more about CiviCRM + WordPress + The Island theme

Recent version of CiviCRM with the The Island theme on WordPress. Minimal read-only demo.

To login: username is "demo" and password is "demo123".

We provide turn-key CiviCRM hosting (no installation costs, regular CiviCRM upgrades, backups, secure https, 24/7 monitoring, no lock-in) with Drupal7, Drupal8 and WordPress, in French, English or bilingual configurations.

CIVI-SA-2023-10: Multiple Potential SQLI

CIVI-SA-2023-09: GetFields SQLI

CIVI-SA-2023-08: KCFinder XSS

CIVI-SA-2023-07: Smarty Math RCE