CIVI-SA-2021-05: Reflected Cross Site Scripting in Personal Campaign Pages

Opublikowane
2021-03-09 09:00
Written by

The introduction text on a Personal Campaign Page (PCP) was not properly sanitised prior to display on the Personal Campaign page.

Security Risk
Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM versions 5.35.0 and earlier

Fixed Versions

CiviCRM version 5.35.1 and ESR version 5.33.3

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Seamus Lee of JMA Consulting and CiviCRM Core Team for reporting and fixing the issue.

References

security/core!134