[Secure-testing-team] Bug#887330: civicrm: Multiple XSS vulnerabilities were found in CiviCRM ≤4.7.26
Guilhem Moulin
guilhem at debian.org
Mon Jan 15 00:42:28 UTC 2018
Source: civicrm
Version: 4.7.24+dfsg-1
Severity: serious
Tags: security
Justification: security issues
(Since CiviCRM isn't in Jessie nor in Stretch I guess the Security Team
can ignore this.)
4.7.26, released on Nov. 1, fixes multiple security issues, with risks
upstream classified up to “critical” for CIVI-SA-2017-1[1-5]:
CIVI-SA-2017-08 XSS in HTML link attributes
CIVI-SA-2017-09 Shell injection vulnerability in smarty
CIVI-SA-2017-10 XSS scripting in premium product name
CIVI-SA-2017-11 XSS in dedupe rules
CIVI-SA-2017-12 XSS in tag descrption
CIVI-SA-2017-13 Selectedchild URL parameter not properly validated for CiviCRM message templates
CIVI-SA-2017-14 XSS in search criteria description
CIVI-SA-2017-15 Extension key not properly validated when adding or disabling or uninstalling extension
CIVI-SA-2017-16 SQL injection risk in CiviReports listing
— https://civicrm.org/blog/dev-team/security-release-civicrm-4726-and-4633-monthly-release-4727
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20180115/14d98267/attachment.sig>
More information about the Secure-testing-team
mailing list