[IT-SecNots] CiviCRM Security Release (5.13.4, 5.7.6 ESR) - Multiple advisories

["CiviCRM" <info AT civicrm.org>]

There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:

• CiviCRM v5.13.4
• CiviCRM v5.7.6 ESR

Below are the security advisories details:

• CIVI-SA-2019-09: XXE in PHPWord
• CIVI-SA-2019-10: TCPDF XSS and RCE vulnerabilities
• CIVI-SA-2019-11: jQuery Object.prototype pollution
• CIVI-SA-2019-12: SQLI in "Country", et al
• CIVI-SA-2019-13: Harden against unserialize vulnerabilities
• CIVI-SA-2019-14: SQLI in APIv3 GetOptions
• CIVI-SA-2019-15: XSS via forged MIME type
• CIVI-SA-2019-16: SQLI in certain checkboxes
• CIVI-SA-2019-17: SQLI in "Manage Events"
• CIVI-SA-2019-18: XSS in CiviCRM installer
• CIVIEXT-SA-2019-01: Multiple security issues in APIv4

 

Combined with CiviCRM security release, there is also a security release for API v.4. If you use API v.4 extension, you need to upgrade to:

1. CiviCRM versions between 5.0.0. and 5.12.x: 4.3.1
2. CiviCRM versions 5.13.0 and above: 4.4.1

See the security advisory for more details.

 

A couple of other issues have been fixed in these releases, as described in the official announcement. 

Upgrade now for the most stable CiviCRM experience:

• To download CiviCRM 5.13.4: https://civicrm.org/download
• To download CiviCRM 5.7.6 ESR version: https://civicrm.org/esr

CiviCRM security announcements are available from https://civicrm.org/advisory and via the CiviCRM Security Notifications email list.

 

---

 

Click this link to unsubscribe from this mailing list.

Click this link to opt out of all mail from CiviCRM.org.

Our mailing address is:

2367 24th Ave
San Francisco, California 94116
United States