CIVI-SA-2021-08 Access Bypass in APIv4

Published
2021-04-21 09:00
Written by

Some permissions were not being checked adequately before returning results from the CiviCRM APIv4. This did not affect everyday use of CiviCRM, but an attacker could potentially exploit this to bypass security checks and read private data from the database. To date there are no known sites that have been compromised due to this bug. APIv3 was not affected.

Introducing the Community Round Table

Published
2021-03-31 04:16
Written by
josh - member of the CiviCRM community and Core Team member - about the Core Team

The CiviCRM Community Council and CiviCRM Core Team are putting together quarterly meetings and invite you to attend. Dubbed ‘Community Round Tables’, these online meetings are intended to provide attendees with general project updates as well as an opportunity for Q&A and general feedback with the Community Council, the Core Team, and community members at large.

The Community Round Tables will include 2 meetings every quarter in order to accommodate users around the world, with the first happening on April 20th. Information and registration online:

CiviCRM Community, Take Pause and Consider this Letter

Published
2021-03-30 02:36
Written by
josh - member of the CiviCRM community and Core Team member - about the Core Team

As you may be aware, CiviCRM was recently given an award for its incredible social impact by the Free Software Foundation. I think we can all agree that CiviCRM is amazing software! Likewise, I believe that we all recognize that our diversity in perspectives, nationalities, genders, text editors, etc. is vital to the health of both the software and the project.

I’m writing this blog post because now may be one of those times where, as a member of our diverse community, you may wish to express your individual views.

SearchKit & Form Builder - New Developments, Q&A with Core Team

Published
2021-03-29 05:04
Written by
josh - member of the CiviCRM community and Core Team member - about the Core Team

Coleman Watts of the CiviCRM Core Team will give a webinar to present new developments in SearchKit and FormBuilder on April 7 @ 11am US Eastern Time (4pm BST). The webinar will include time for Q&A on planned developments for both SearchKit and Form Builder.

Update: The recording is now available here:

CIVI-PSA-2021-01: Storage Crypto API

Published
2021-03-22 01:59
Written by

(This is a public service announcement related to security functionality. It does not detail an exploitable vulnerability. Rather, we wish to advise administrators and developers about an on-going change to improve security.)

CiviCRM v3.1 introduced a helper "CRM_Utils_Crypt" which encrypted the SMTP password. This mechanism is being phased-out circa 5.34 in favor of a more secure mechanism. We will briefly consider the purpose of the mechanism, some of its issues, and the details of the change.

CIVI-SA-2021-03: Cross Site Scripting in "Manage Extensions"

Published
2021-03-09 09:00
Written by

The "Manage Extensions" screen provides a list of extensions published by third-party developers. If an extension had a malicious description, it could trick the user's browser into executing Javascript code.

Note: To exploit this, an attacker would need to gain control of a trusted developer account, and they would leave evidence in a public feed. At time of writing, there is no known evidence of previous attack. Resolving this issue prevents future attacks.