In some situations, users without the permission "edit contributions" could edit recurring contributions.

In certain output media, error messages were not properly escaped.

This issue did not lead directly to cross-scripting, but it could lead to other HTML injections.

For each session, CiviCRM stores a private session key. This patch addresses multiple issues which could compromise the strength or security of the key.

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

"[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub."

Those advisories are:

In certain screens, the Activity "Subject" field was not properly escaped to prevent cross site scripting.

In certain screens, the Profile "Description" field was not properly escaped to prevent cross site scripting.

In certain screens, the Event "Summary" field was not properly escaped to prevent cross site scripting.

CiviCRM did not provide sufficient protection on the CKEditor configuration form, which could allow user to store and execute Javascript.

Note: This form had another vulnerability in the same version. The risk from two overlapping vulnerabilities may be greater than the risk of each individually.

CiviCRM did not provide sufficient protection on the CKEditor configuration form, which could allow a malicious third-party to trick a CiviCRM administrator into changing the configuration.

Note: This form had another vulnerability in the same version. The risk from two overlapping vulnerabilities may be greater than the risk of each individually.

When viewing an activity, the activity details were not sufficiently filtered to prevent cross-site scripting attacks.