CIVI-SA-2023-09: GetFields SQLI
Published
2023-09-06 12:00
Users with access APIv3 or APIv4 via any medium (including web-browser) may be able to execute an SQL injection (SQL) attack.
CIVI-SA-2023-08: KCFinder XSS
Published
2023-09-06 12:00
KCFinder provides a file-management dialog for CKEditor 4. It included two vulnerabilities:
- It allowed a "reflected" cross-site scripting (XSS) attack.
- It bypassed a CiviCRM policy option which limits file-uploads. (This bypass was still subject to other restrictions. The likely impact is to allow a "stored" XSS attack. However, it is possible for there to be other impacts.)
CIVI-SA-2023-07: Smarty Math RCE
Published
2023-09-06 12:00
Template authors can perform remote code execution (RCE) with a specially crafted call to the {math} function.
(This issue was identified as part of a general audit of Smarty v2, CIVI-PSA-2023-01.)
London, UK 2023
Tuesday 20th June, 2023
Leipzig, Germany 2023
September 11th - 14th, 2023
Brussels, Belgium 2023
Friday 2nd June 2023
Manchester, UK 2023
29th November - 8th December 2023
More Greetings - Personalised Strings for all Contacts 1.1.0
Release Date
Release Version
1.1.0
Release Status
Stable
Release CiviCRM Compatibility
XML
<?xml version="1.0"?>
<extension key="de.systopia.moregreetings" type="module">
<file>moregreetings</file>
<name>More Greeting Options</name>
<description>Extension to allow additional, customised greetings</description>
<license>AGPL-3.0</license>
<maintainer>
<author>SYSTOPIA</author>
<email>endres@systopia.de</email>
</maintainer>
<urls>
<url desc="Main Extension Page">https://github.com/systopia/de.systopia.moregreetings</url>
<url desc="Documentation">https://github.com/systopia/de.systopia.moregreetings</url>
<url desc="Support">https://github.com/systopia/de.systopia.moregreetings/issues</url>
<url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
</urls>
<releaseDate>2023-02-27</releaseDate>
<version>1.1.0</version>
<develStage>stable</develStage>
<compatibility>
<ver>5.0</ver>
</compatibility>
<comments></comments>
<civix>
<namespace>CRM/Moregreetings</namespace>
</civix>
</extension>
<extension key="de.systopia.moregreetings" type="module">
<file>moregreetings</file>
<name>More Greeting Options</name>
<description>Extension to allow additional, customised greetings</description>
<license>AGPL-3.0</license>
<maintainer>
<author>SYSTOPIA</author>
<email>endres@systopia.de</email>
</maintainer>
<urls>
<url desc="Main Extension Page">https://github.com/systopia/de.systopia.moregreetings</url>
<url desc="Documentation">https://github.com/systopia/de.systopia.moregreetings</url>
<url desc="Support">https://github.com/systopia/de.systopia.moregreetings/issues</url>
<url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
</urls>
<releaseDate>2023-02-27</releaseDate>
<version>1.1.0</version>
<develStage>stable</develStage>
<compatibility>
<ver>5.0</ver>
</compatibility>
<comments></comments>
<civix>
<namespace>CRM/Moregreetings</namespace>
</civix>
</extension>
CiviCRM + WordPress + The Island theme
Published
2023-02-23 08:09
Recent version of CiviCRM with the The Island theme on WordPress. Minimal read-only demo.
To login: username is "demo" and password is "demo123".
We provide turn-key CiviCRM hosting (no installation costs, regular CiviCRM upgrades, backups, secure https, 24/7 monitoring, no lock-in) with Drupal7, Drupal8 and WordPress, in French, English or bilingual configurations.
CIVI-SA-2023-06: Dompdf 2.0.3
Published
2023-02-15 12:00
The "dompdf" library has a vulnerability which allows remote code execution. It may be exploited by some backend users.
WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM
Make your next CiviCRM implementation a Success.
