In certain output media, error messages were not properly escaped.
This issue did not lead directly to cross-scripting, but it could lead to other HTML injections.
For each session, CiviCRM stores a private session key. This patch addresses multiple issues which could compromise the strength or security of the key.
The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are
"[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub."
Those advisories are:
In certain screens, the Activity "Subject" field was not properly escaped to prevent cross site scripting.
In certain screens, the Profile "Description" field was not properly escaped to prevent cross site scripting.
In certain screens, the Event "Summary" field was not properly escaped to prevent cross site scripting.
CiviCRM did not provide sufficient protection on the CKEditor configuration form, which could allow user to store and execute Javascript.
Note: This form had another vulnerability in the same version. The risk from two overlapping vulnerabilities may be greater than the risk of each individually.
CiviCRM did not provide sufficient protection on the CKEditor configuration form, which could allow a malicious third-party to trick a CiviCRM administrator into changing the configuration.
Note: This form had another vulnerability in the same version. The risk from two overlapping vulnerabilities may be greater than the risk of each individually.
When viewing an activity, the activity details were not sufficiently filtered to prevent cross-site scripting attacks.
In CiviCRM, an Access Control List (ACL) confers limited access to contact records (based on the membership list for a "Group" of contacts). In configurations with "ACL Smart Groups", a flaw allowed limited backend users to re-define their group criteria and gain elevated access. The fix ensures that only trusted users (with permission "edit groups") may re-define the group criteria.
