[IT-SecNots] CiviCRM Security Release (5.28.1, 5.27.5 ESR) - Multiple advisories

["CiviCRM" <info AT civicrm.org>]

There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:

• CiviCRM v5.28.1
• CiviCRM v5.27.5 ESR

Below are the security advisories:

• CIVI-SA-2020-09: Privilege Escalation via Smart Groups
• CIVI-SA-2020-10: Cross Site Scripting in Activity Details
• CIVI-SA-2020-11: CSRF on CKEditor Configuration
• CIVI-SA-2020-12: XSS in CKEditor Configuration
• CIVI-SA-2020-13: XSS in Event Summary
• CIVI-SA-2020-14: XSS in Profile Description
• CIVI-SA-2020-15: Persistant XSS in Contact Activity Tab
• CIVI-SA-2020-16: jQuery CVE-202-11022, CVE-2020-11023
• CIVI-SA-2020-17: Harden Per-Session Private Key
• CIVI-SA-2020-18: HTML Injection via Error Message
• CIVI-SA-2020-19: Edit Permission for Recurring Contributions

A couple of other issues have been fixed in these releases. Please see the official announcement and release notes.

Upgrade now for the most stable CiviCRM experience:

• To download CiviCRM 5.28.1: https://civicrm.org/download
• To download CiviCRM 5.27.5 ESR version: https://civicrm.org/esr

 

 

 

---

 

Click this link to unsubscribe from this mailing list.

Click this link to opt out of all mail from CiviCRM.org.

Our mailing address is:

2367 24th Ave
San Francisco, California 94116
United States