CIVI-SA-2017-10 XSS scripting in preimum product name

Opublikowane

2017-11-01 09:00

Written by

dev-team

When creating premium product in CiviCRM, the output of the product name was not properly being escaped as the alternate text when an image was being used for the product. This had the potential on contribution pages to expose credit card information.

Security Risk

Moderately Critical

Vulnerability

Cross Site Scripting

Affected Versions

CiviCRM versions prior to 4.7.26 and 4.6.33

Fixed Versions

CiviCRM version 4.7.26 and 4.6.33

Solutions

Upgrade to the latest CiviCRM Version

4.7.26
4.6.33

or later

If you cannot upgrade you should apply the following patch

Credits

Sean Madsen of Left Join Labs for reporting the issue.

Seamus Lee of Australian Greens for fixing the issue.

References

CRM-21014

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2017-10 XSS scripting in preimum product name

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2017-10 XSS scripting in preimum product name

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM