Coleman Watts of the CiviCRM Core Team will give a webinar to present new developments in SearchKit and FormBuilder on April 7 @ 11am US Eastern Time (4pm BST). The webinar will include time for Q&A on planned developments for both SearchKit and Form Builder.
Update: The recording is now available here:
(This is a public service announcement related to security functionality. It does not detail an exploitable vulnerability. Rather, we wish to advise administrators and developers about an on-going change to improve security.)
CiviCRM v3.1 introduced a helper "CRM_Utils_Crypt" which encrypted the SMTP password. This mechanism is being phased-out circa 5.34 in favor of a more secure mechanism. We will briefly consider the purpose of the mechanism, some of its issues, and the details of the change.
In the Joomla integration, some references to user-account records were not properly sanitized.
CiviCRM's REST API traditionally requires two keys, the "API Key" and the "Site Key". The "Site Key" could potentially be extracted by a "timing attack". In this scenario, an attacker would send many invalid requests, build a statistical profile, and infer the most likely value.
The introduction text on a Personal Campaign Page (PCP) was not properly sanitised prior to display on the Personal Campaign page.
When generating the example code in the APIv4 Explorer, the user entered data was not properly sanitised before displaying as example code within the Explorer.
The "Manage Extensions" screen provides a list of extensions published by third-party developers. If an extension had a malicious description, it could trick the user's browser into executing Javascript code.
Note: To exploit this, an attacker would need to gain control of a trusted developer account, and they would leave evidence in a public feed. At time of writing, there is no known evidence of previous attack. Resolving this issue prevents future attacks.
The development tree for CiviCRM includes a handful of utility scripts in the folders "sql/" and "tools/". These scripts may manipulate data (e.g. generating fake contact records), and they lacked guards to protect from remote/malicious use.
This issue does not affect most deployments which use the standard CiviCRM releases ("*.tar.gz" or "*.zip"). The issue primarily affects developmental/testing systems or highly-customized deployments which directly read from CiviCRM's source code-management system ("git").
When importing data from CSV, the user's browser could be tricked into executing Javascript.
This vulnerability does not escalate the permissions of the user. However, if the user imports data from another application/system, then it could be used for an attack.
CiviCRM version 5.35.0 is now out and ready to download. This is a regular monthly release.
Upgrade now for the most stable CiviCRM experience: https://civicrm.org/download
Users of the CiviCRM Extended Security Releases (ESR) do not need to upgrade, as there are no ESR-specific bug-fixes or security issues at the moment. The current version of ESR is CiviCRM 5.33.x.
