Advisory: OpenFlashChart attacks

IMPORTANT: You do NOT need to upgrade CiviCRM to remove this vulnerability. See "Prevent Attacks: Delete the Vulnerable File" below.

Announcing CiviCRM 4.2.7!!!

The team is excited to announce the seventh release of 4.2 stable with support for Drupal 7, Joomla 2.5 and WordPress 3.3.

We strongly recommend that all sites upgrade their CiviCRM code to this release if you are using previous version of 4.2. There have been significant (75+) bug fixes, including two security fixes, since the last stable release of 4.2. You can download the release from SourceForge, and you can also test drive the release on each platform using the public demos:

4.2.6 Released !!!

The team is excited to announce the fifth release of 4.2 stable with support for Drupal 7, Joomla 2.5 and WordPress 3.x

CiviCRM 3.4.4 and 4.0.4 are out!

CiviCRM 3.4.4 and 4.0.4 has just been released and both are available for download. This release fixes security vulnerabilities in the 3.4.3 / 4.0.3 release, helping to harden your system. We recommend you upgrade immediately to realize these improvements. You can also try them out on the public demos: Drupal 6 / Drupal 7 and Joomla 1.5 / Joomla 1.6 sites. The newest CiviCRM versions are:

  • 4.0.4 for Drupal 7 and Joomla 1.6
  • 3.4.4 for Drupal 6 and Joomla 1.5

Important security update - CiviCRM 3.3.5 released

The team is excited to announce the release of CiviCRM 3.3.5 - it is now available for download. You can also try it out on our demo site. Apart from fixing a few bug issues, this release contains two critical security updates:

  • Cross site scripting problem, where the site can be exploited to execute arbitrary JavaScript.
  • Permissioning vulnerability, which allowed anonymous users to potentially change information for another contact.


Please consider doing an upgrade as soon as possible to avoid potential security risks. If you have already upgraded using the 3.3.4 release package - and you did not experience any errors during the upgrade - then you already have the security patches installed and you do not have to upgrade to this release at this time.

CiviCRM 2.2.7 - Security Release AND CiviReport Phase 1

The team has released version 2.2.7 today. This release includes an important security update - and we recommend that you upgrade sites to this release as soon as possible. 2.2.7 also includes phase 1 of CiviReport - with 14 built-in report templates with coverage of contact data, contributions, events and memberships. Stay tuned for a separate blog post with lots more details on the new reporting features.