MidnightBSD

Advisories for civicrm

CVE-2013-1636 MEDIUM

Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, allows remote attackers to inject arbitrary web script or HTML via the get-data parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
civicrm civicrm 4.3.3
civicrm civicrm 3.3.1
civicrm civicrm 3.2.0
civicrm civicrm 4.2.0
civicrm civicrm 3.1.2
civicrm civicrm 3.2.3
civicrm civicrm 3.2.4
civicrm civicrm 4.1.4
civicrm civicrm 4.2.8
civicrm civicrm 4.2.4
blair_williams pretty_link_lite *
civicrm civicrm 4.1.1
civicrm civicrm 3.3.5
civicrm civicrm 4.1.2
civicrm civicrm 4.1.5
caseproof prettylinks *
caseproof prettylinks 1.6.0
blair_williams pretty_link_lite 1.6.0
civicrm civicrm 3.1.5
civicrm civicrm 3.4.0
civicrm civicrm 4.0.5
civicrm civicrm 4.2.1
civicrm civicrm 4.2.2
civicrm civicrm 4.2.9
civicrm civicrm 3.3.6
civicrm civicrm 4.1.0
civicrm civicrm 3.1.4
civicrm civicrm 3.1.0
civicrm civicrm 4.1.3
civicrm civicrm 4.1.6
blair_williams pretty_link_lite 1.6.1
joobi com_jnews 8.0.1
civicrm civicrm 4.3.0
civicrm civicrm 3.1.1
civicrm civicrm 4.2.5
civicrm civicrm 4.3.1
civicrm civicrm 3.2.1
civicrm civicrm 3.1.3
civicrm civicrm 4.2.7
civicrm civicrm 3.3.3
civicrm civicrm 4.3.2
civicrm civicrm 3.2.5
civicrm civicrm 3.3.2
caseproof prettylinks 1.6.1
civicrm civicrm 4.2.6
civicrm civicrm 3.1.6
civicrm civicrm 3.2.2
civicrm civicrm 3.3.0
CVE-2013-4661 MEDIUM

CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
civicrm civicrm 3.0.0
civicrm civicrm 3.0.1
civicrm civicrm 4.3.3
civicrm civicrm 2.2.3
civicrm civicrm 2.2.6
civicrm civicrm 3.3.1
civicrm civicrm 3.2.0
civicrm civicrm 4.2.0
civicrm civicrm 2.0.3
civicrm civicrm 3.1.2
civicrm civicrm 3.2.3
civicrm civicrm 3.2.4
civicrm civicrm 4.1.4
civicrm civicrm 2.1.6
civicrm civicrm 2.2.8
civicrm civicrm 2.0.1
civicrm civicrm 4.2.8
civicrm civicrm 2.1.0
civicrm civicrm 4.2.4
civicrm civicrm 3.0.3
civicrm civicrm 4.1.1
civicrm civicrm 2.2.2
civicrm civicrm 2.2.9
civicrm civicrm 3.3.5
civicrm civicrm 4.1.2
civicrm civicrm 4.1.5
civicrm civicrm 2.0.5
civicrm civicrm 2.2.7
civicrm civicrm 2.1.2
civicrm civicrm 3.1.5
civicrm civicrm 3.0.4
civicrm civicrm 2.0.0
civicrm civicrm 2.0.4
civicrm civicrm 3.4.0
civicrm civicrm 4.0.5
civicrm civicrm 4.2.1
civicrm civicrm 2.1.1
civicrm civicrm 4.2.2
civicrm civicrm 2.1.4
civicrm civicrm 4.2.9
civicrm civicrm 3.3.6
civicrm civicrm 4.1.0
civicrm civicrm 3.1.4
civicrm civicrm 4.1.3
civicrm civicrm 4.1.6
civicrm civicrm 4.3.0
civicrm civicrm 2.0.7
civicrm civicrm 3.1.1
civicrm civicrm 4.2.5
civicrm civicrm 4.3.1
civicrm civicrm 2.0.6
civicrm civicrm 3.2.1
civicrm civicrm 3.1.3
civicrm civicrm 4.2.7
civicrm civicrm 3.3.3
civicrm civicrm 4.3.2
civicrm civicrm 3.2.5
civicrm civicrm 2.2.0
civicrm civicrm 3.3.2
civicrm civicrm 2.0.2
civicrm civicrm 2.2.1
civicrm civicrm 2.2.5
civicrm civicrm 4.2.6
civicrm civicrm 3.0.2
civicrm civicrm 3.1.6
civicrm civicrm 3.2.2
civicrm civicrm 3.3.0
CVE-2013-4662 MEDIUM

The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
civicrm civicrm 4.2.8
civicrm civicrm 4.2.4
civicrm civicrm 4.2.7
civicrm civicrm 4.3.3
civicrm civicrm 4.3.2
civicrm civicrm 4.2.1
civicrm civicrm 4.2.0
civicrm civicrm 4.2.2
civicrm civicrm 4.2.9
civicrm civicrm 4.2.6
civicrm civicrm 4.3.0
civicrm civicrm 4.2.5
civicrm civicrm 4.3.1
CVE-2013-5957 HIGH

Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in CiviCRM before 4.2.12, 4.3.x before 4.3.7, and 4.4.x before 4.4.beta4 allow remote attackers to execute arbitrary SQL commands via the _value parameter to (1) ajax/jqState or (2) ajax/jqcounty.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
civicrm civicrm 4.2.8
civicrm civicrm 4.4
civicrm civicrm 4.2.4
civicrm civicrm 4.2.7
civicrm civicrm 4.3.3
civicrm civicrm 4.3.2
civicrm civicrm 4.2.1
civicrm civicrm 4.2.0
civicrm civicrm 4.2.2
civicrm civicrm 4.2.9
civicrm civicrm 4.3.6
civicrm civicrm 4.2.10
civicrm civicrm 4.3.5
civicrm civicrm 4.4.0
civicrm civicrm 4.2.6
civicrm civicrm 4.3.0
civicrm civicrm *
civicrm civicrm 4.2.5
civicrm civicrm 4.3.1
civicrm civicrm 4.3.4
CVE-2015-4391 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the CiviCRM private report module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of users for requests that delete reports via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
civicrm civicrm_private_report 6.x-1.1
civicrm civicrm_private_report 7.x-1.1
civicrm civicrm_private_report 7.x-1.2
civicrm civicrm_private_report 6.x-1.0
civicrm civicrm_private_report 7.x-1.0
CVE-2018-1999022 HIGH

PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_QuickForm_element's _findValue method, HTML_QuickForm_element's _prepareValue method. that can result in Possible information disclosure, possible impact on data integrity and execution of arbitrary code. This attack appear to be exploitable via A specially crafted query string could be utilised, e.g. http://www.example.com/admin/add_practice_type_id[1]=fubar%27])%20OR%20die(%27OOK!%27);%20//&mode=live. This vulnerability appears to have been fixed in 3.2.15.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
html_quickform_project html_quickform 3.2.14
civicrm civicrm 5.3.0
civicrm civicrm *
CVE-2020-36388 MEDIUM

In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
civicrm civicrm *
CVE-2020-36389 MEDIUM

In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
civicrm civicrm *
CVE-2023-25440

Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.

Products Affected

Vendor Product Version
civicrm civicrm 5.59
CVE-2025-65187

A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
civicrm civicrm *