CiviSEPA 1.7.0

Release Date
Release Version
1.7.0
Release Status
Stable
Release CiviCRM Compatibility
XML
<?xml version="1.0"?>
<extension key="org.project60.sepa" type="module">
<file>sepa</file>
<name>SEPA Direct Debit</name>
<description>This extension provides SEPA Direct Debit processing.</description>
<license>aGPL3</license>
<maintainer>
<author>B. Endres</author>
<email>endres@systopia.de</email>
</maintainer>
<releaseDate>2023-01-11</releaseDate>
<version>1.7.0</version>
<develStage>stable</develStage>
<compatibility>
<ver>5.19</ver>
<ver>5.28</ver>
<ver>5.43</ver>
</compatibility>
<urls>
<url desc="Main Extension Page">https://github.com/Project60/org.project60.sepa</url>
<url desc="Documentation">https://docs.civicrm.org/civisepa</url>
<url desc="Support">https://github.com/Project60/org.project60.sepa/issues</url>
<url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
</urls>
<comments>This module is the merge of Xaviers Dutoit's (xavier@tttp.eu) and Bj&#xF6;rn Endres' (endres@systopia.de) Project60 branches.</comments>
<classloader>
<psr4 prefix="Civi\" path="Civi"/>
</classloader>
<civix>
<namespace>CRM/Sepa</namespace>
<format>22.05.2</format>
</civix>
<mixins>
<mixin>menu-xml@1.0.0</mixin>
<mixin>mgd-php@1.0.0</mixin>
<mixin>setting-php@1.0.0</mixin>
</mixins>
</extension>

CIVI-SA-2023-03: Asset Builder XSS

Published
2023-01-04 12:00
Written by

Asset Builder allows CiviCRM and its extensions to generate dynamic assets. A vulnerability allowed third-parties to trick it into generating assets with unintended inputs.

Exploiting this vulnerability depends on several details (e.g. the asset data-types, input-parameters, and web-domain policies). For the specific assets and configurations that we tested, attacks were substantively constrained by the browsers' "Same Origin Policy". However, other assets and other configurations could be impacted more severely.

CIVI-SA-2023-01: Help Subsystem RCE

Published
2023-01-04 12:00
Written by

The "Help" subsystem did not sufficiently validate the location/origin of its source files. If combined with a web-based upload tool, this could allow a user to execute arbitrary code.

With CiviCRM's standard upload tools, exploiting this vulnerability requires permission "administer CiviCRM". However, other upload tools (such as CMS plugins) could provide other attack vectors.

airmail v2.1

Extension
Release Date
Release Version
2.1
Release Status
Stable
Release CiviCRM Compatibility
XML
<?xml version="1.0"?>
<extension key="com.aghstrategies.airmail" type="module">
<file>airmail</file>
<name>AirMail</name>
<description>SMTP Event Notification Processor</description>
<license>AGPL-3.0</license>
<maintainer>
<author>Alice Frumin</author>
<email>alice@aghstrategies.com</email>
</maintainer>
<urls>
<url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
</urls>
<releaseDate>2021-08-05</releaseDate>
<version>2.1</version>
<develStage>alpha</develStage>
<compatibility>
<ver>4.7</ver>
<ver>5.x</ver>
</compatibility>
<civix>
<namespace>CRM/Airmail</namespace>
</civix>
</extension>