When importing data from CSV, the user's browser could be tricked into executing Javascript.
This vulnerability does not escalate the permissions of the user. However, if the user imports data from another application/system, then it could be used for an attack.
CiviCRM versions 5.35.0 and earlier
CiviCRM version 5.35.1 and ESR version 5.33.3
Any ONE of these solutions would be sufficient:
- Upgrade to the latest version of CiviCRM
- Refrain from importing CSVs with data that you did not directly generate yourself.
Reported by Pradeep Nayak of Circle Interactive
Fixed by Seamus Lee of JMA Consulting / CiviCRM Core Team
Funded by Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
security/core#100