[IT-SecNots] CiviCRM Security Release (5.10.3, 5.7.4 ESR) - Multiple advisories, regression fixes

["CiviCRM" <info AT civicrm.org>]

There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:

• CiviCRM v5.10.3
• CiviCRM v5.7.4 ESR

In addition to the security fixes, this release includes two regression fixes. 

Below are the security advisories details:

• CIVI-SA-2019-01 Weak access-control for file attachments
• CIVI-SA-2019-02 SQL Injection in "PrevNext" Cache
• CIVI-SA-2019-03 Cross-Site Scripting in "Logging Details" Report
• CIVI-SA-2019-04 SQL Injection in Group and Tag Filters
• CIVI-SA-2019-05 Cross-Site Scripting in "New Pledge" Form
• CIVI-SA-2019-06 Cross-Site Scripting in Contact Reference Fields
• CIVI-SA-2019-07 Limit Cross-Domain Execution by jQuery

A couple of other issues have been fixed in these releases, as described in the official announcement. 

Upgrade now for the most stable CiviCRM experience:

• To download CiviCRM 5.10.3: https://civicrm.org/download
• To download CiviCRM 5.7.4 ESR version: https://civicrm.org/esr

CiviCRM security announcements are available from https://civicrm.org/advisory and via the CiviCRM Security Notifications email list.

 

---

 

Click this link to unsubscribe from this mailing list.

Click this link to opt out of all mail from CiviCRM.org.

Our mailing address is:

2367 24th Ave
San Francisco, California 94116
United States