Search CVE reports
1 – 10 of 14 results
A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.
1 affected package
civicrm
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message...
4 affected packages
kalkun, civicrm, phpmyadmin, znuny
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| kalkun | Needs evaluation | Not in release | Not in release | Not in release | — |
| civicrm | Not in release | Not in release | Needs evaluation | Ignored | Needs evaluation |
| phpmyadmin | Needs evaluation | Needs evaluation | Needs evaluation | Ignored | Needs evaluation |
| znuny | Needs evaluation | Needs evaluation | Not in release | Not in release | — |
Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.
1 affected package
civicrm
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Not in release | Needs evaluation | Ignored | Ignored |
Some fixes available 8 of 26
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser...
4 affected packages
civicrm, smarty3, smarty4, postfixadmin
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Not in release | Vulnerable | Vulnerable | Vulnerable |
| smarty3 | Not affected | Fixed | Fixed | Fixed | Fixed |
| smarty4 | Not affected | Not affected | Not in release | Not in release | Not in release |
| postfixadmin | Not affected | Vulnerable | Fixed | Fixed | Fixed |
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing...
1 affected package
civicrm
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Not in release | Needs evaluation | Ignored | Ignored |
Some fixes available 4 of 19
External Control of File Name or Path in GitHub repository dompdf/dompdf prior to 2.0.0.
3 affected packages
php-dompdf, icingaweb2, civicrm
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| php-dompdf | Not in release | Not in release | Fixed | Fixed | Fixed |
| icingaweb2 | Needs evaluation | Needs evaluation | Needs evaluation | Ignored | Ignored |
| civicrm | Not in release | Not in release | Needs evaluation | Ignored | Ignored |
The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable to regular expression denial of service (ReDoS) when an attacker is able to...
3 affected packages
civicrm, jquery, node-jquery
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Not in release | Needs evaluation | Ignored | Ignored |
| jquery | Not in release | Not in release | Not in release | Not affected | Not affected |
| node-jquery | Not affected | Not affected | Not affected | Not affected | Not affected |
Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we...
5 affected packages
civicrm, guzzle, icinga-php-thirdparty, icingaweb2-module-reactbundle, mediawiki
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Not in release | Needs evaluation | Ignored | Ignored |
| guzzle | Not affected | Not affected | Not in release | Not in release | Not in release |
| icinga-php-thirdparty | Needs evaluation | Needs evaluation | Needs evaluation | Not in release | Not in release |
| icingaweb2-module-reactbundle | Needs evaluation | Needs evaluation | Needs evaluation | Not in release | Not in release |
| mediawiki | Not affected | Not affected | Needs evaluation | Ignored | Ignored |
Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify...
5 affected packages
civicrm, guzzle, icinga-php-thirdparty, icingaweb2-module-reactbundle, mediawiki
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Not in release | Needs evaluation | Ignored | Ignored |
| guzzle | Not affected | Not affected | Not in release | Not in release | Not in release |
| icinga-php-thirdparty | Needs evaluation | Needs evaluation | Needs evaluation | Not in release | Not in release |
| icingaweb2-module-reactbundle | Needs evaluation | Needs evaluation | Needs evaluation | Not in release | Not in release |
| mediawiki | Not affected | Not affected | Needs evaluation | Ignored | Ignored |
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method
3 affected packages
civicrm, jquery, node-jquery
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Not in release | Needs evaluation | Ignored | Ignored |
| jquery | Not in release | Not in release | Not in release | Not affected | Not affected |
| node-jquery | Not affected | Not affected | Not affected | Not affected | Not affected |