[IT-SecNots] CiviCRM Security Release (5.19.2, 5.13.7 ESR) - Multiple advisories

["CiviCRM" <info AT civicrm.org>]

There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:

• CiviCRM v5.19.2
• CiviCRM v5.13.7 ESR

Below are the security advisories details:

• CIVI-SA-2019-19: SQL injection in "dedupefind"
• CIVI-SA-2019-20: Privilege escalation via leaked key
• CIVI-SA-2019-21: PHP object injection via "Saved Search" and "Report Instance" APIs
• CIVI-SA-2019-22: Cross-site scripting in dashboard titles
• CIVI-SA-2019-23: Incorrect storage encoding for APIv4
• CIVIEXT-SA-2019-02: Cross-site scripting in CiviCase v5 extension

A couple of other issues have been fixed in these releases, as described in the official announcement. 

Upgrade now for the most stable CiviCRM experience:

• To download CiviCRM 5.19.2: https://civicrm.org/download
• To download CiviCRM 5.13.7 ESR version: https://civicrm.org/esr

Note: If you use CiviCRM v5.13.7 ESR with the APIv4 extension ("org.civicrm.api4"), you should double-check that your system is running version 4.4.4. In v5.19+, no extra check is necessary.

CiviCRM security announcements are available from https://civicrm.org/advisory and via the CiviCRM Security Notifications email list.

 

---

 

Click this link to unsubscribe from this mailing list.

Click this link to opt out of all mail from CiviCRM.org.

Our mailing address is:

2367 24th Ave
San Francisco, California 94116
United States