[IT-SecNots] CiviCRM Security Release (5.24.3, 5.21.3 ESR) - Multiple advisories

["CiviCRM" <info AT civicrm.org>]

There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:

• CiviCRM v5.24.3
• CiviCRM v5.21.3 ESR

Below are the security advisories details:

• CIVI-SA-2020-01: Sanitize Entity Name
• CIVI-SA-2020-02: API Key Disclosure
• CIVI-SA-2020-03: PHP Code Execution via Phar Deserialization
• CIVI-SA-2020-04: Cross Site Scripting within CiviCase Reports
• CIVI-SA-2020-05: SQL Injection in Campaign Summary and Delete Activity
• CIVI-SA-2020-06: SQLI in Query Builder
• CIVI-SA-2020-07: CSRF in Scheduled Jobs
• CIVI-SA-2020-08: XSS via JS libraries

A couple of other issues have been fixed in these releases, as described in the official announcement. 

Upgrade now for the most stable CiviCRM experience:

• To download CiviCRM 5.24.3: https://civicrm.org/download
• To download CiviCRM 5.21.3 ESR version: https://civicrm.org/esr

 

 

 

---

 

Click this link to unsubscribe from this mailing list.

Click this link to opt out of all mail from CiviCRM.org.

Our mailing address is:

2367 24th Ave
San Francisco, California 94116
United States