Asset Builder allows CiviCRM and its extensions to generate dynamic assets. A vulnerability allowed third-parties to trick it into generating assets with unintended inputs.

Exploiting this vulnerability depends on several details (e.g. the asset data-types, input-parameters, and web-domain policies). For the specific assets and configurations that we tested, attacks were substantively constrained by the browsers' "Same Origin Policy". However, other assets and other configurations could be impacted more severely.

CiviEvent included a vector for reflected cross-site-scripting (XSS) attacks.

The "Help" subsystem did not sufficiently validate the location/origin of its source files. If combined with a web-based upload tool, this could allow a user to execute arbitrary code.

With CiviCRM's standard upload tools, exploiting this vulnerability requires permission "administer CiviCRM". However, other upload tools (such as CMS plugins) could provide other attack vectors.

A vulnerability in processing APIv3 AJAX requests could allow a malicious request to bypass permission checks.

The "dompdf" library has a vulnerability which allows remote code execution. It may be exploited by some backend users.

CKEditor had a vulnerability that could allow execution of Javascript code.

The exact degree of exploitability for CiviCRM has not been determined.

jQuery UI v1.12 included multiple cross-site scripting vulnerabilities.

It has not been demonstrated that CiviCRM specifically is exploitable. However, it is possible that third-party extensions could use jQuery UI in a vulnerable fashion.

This is not a security vulnerability. It is a mitigation to protect against misconfiguration.

CiviCRM includes a large number of configurable permissions. Administrators may assign these permissions to various users and roles. This is powerful functionality that accommodates diverse needs, but it provides the opportunity for misconfiguration.

Misconfigurations may arise for a few reasons, such as: