Search CVE reports
1 – 10 of 12 results
CVE-2023-25440
Medium priorityStored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.
1 affected package
civicrm
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2023-28447
High prioritySome fixes available 8 of 27
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser...
4 affected packages
civicrm, postfixadmin, smarty3, smarty4
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| postfixadmin | Vulnerable | Fixed | Fixed | Fixed | Not affected |
| smarty3 | Fixed | Fixed | Fixed | Fixed | Needs evaluation |
| smarty4 | Needs evaluation | Not in release | Not in release | Not in release | Ignored |
CVE-2023-28115
Medium prioritySnappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing...
1 affected package
civicrm
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2022-2400
Medium prioritySome fixes available 4 of 22
External Control of File Name or Path in GitHub repository dompdf/dompdf prior to 2.0.0.
3 affected packages
civicrm, icingaweb2, php-dompdf
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| icingaweb2 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| php-dompdf | Not in release | Fixed | Fixed | Fixed | Fixed |
CVE-2022-31147
Medium priorityThe jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable to regular expression denial of service (ReDoS) when an attacker is able to...
3 affected packages
civicrm, jquery, node-jquery
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| jquery | Not in release | Not in release | Not affected | Not affected | Not affected |
| node-jquery | Not affected | Not affected | Not affected | Not affected | Not affected |
CVE-2022-31091
Medium priorityGuzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we...
5 affected packages
civicrm, guzzle, icinga-php-thirdparty, icingaweb2-module-reactbundle, mediawiki
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| guzzle | Not affected | Not in release | Not in release | Not in release | Not in release |
| icinga-php-thirdparty | Needs evaluation | Needs evaluation | Not in release | Not in release | Not in release |
| icingaweb2-module-reactbundle | Needs evaluation | Needs evaluation | Not in release | Not in release | Not in release |
| mediawiki | Not affected | Needs evaluation | Needs evaluation | Needs evaluation | Not in release |
CVE-2022-31090
Medium priorityGuzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify...
5 affected packages
civicrm, guzzle, icinga-php-thirdparty, icingaweb2-module-reactbundle, mediawiki
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| guzzle | Not affected | Not in release | Not in release | Not in release | Not in release |
| icinga-php-thirdparty | Needs evaluation | Needs evaluation | Not in release | Not in release | Not in release |
| icingaweb2-module-reactbundle | Needs evaluation | Needs evaluation | Not in release | Not in release | Not in release |
| mediawiki | Not affected | Needs evaluation | Needs evaluation | Needs evaluation | Not in release |
CVE-2021-43306
Medium priorityAn exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method
3 affected packages
civicrm, jquery, node-jquery
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| jquery | Not in release | Not in release | Not affected | Not affected | Not affected |
| node-jquery | Not affected | Not affected | Not affected | Not affected | Not affected |
CVE-2020-36389
Medium priorityIn CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
1 affected package
civicrm
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Not affected | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2020-36388
Medium priorityIn CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
1 affected package
civicrm
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| civicrm | Not in release | Not affected | Needs evaluation | Needs evaluation | Needs evaluation |