Source: civicrm Version: 4.7.24+dfsg-1 Severity: serious Tags: security Justification: security issues
(Since CiviCRM isn't in Jessie nor in Stretch I guess the Security Team
can ignore this.)
4.7.26, released on Nov. 1, fixes multiple security issues, with risks
upstream classified up to “critical” for CIVI-SA-2017-1[1-5]:
CIVI-SA-2017-08 XSS in HTML link attributes
CIVI-SA-2017-09 Shell injection vulnerability in smarty
CIVI-SA-2017-10 XSS scripting in premium product name
CIVI-SA-2017-11 XSS in dedupe rules
CIVI-SA-2017-12 XSS in tag descrption
CIVI-SA-2017-13 Selectedchild URL parameter not properly validated for
CiviCRM message templates
CIVI-SA-2017-14 XSS in search criteria description
CIVI-SA-2017-15 Extension key not properly validated when adding or
disabling or uninstalling extension
CIVI-SA-2017-16 SQL injection risk in CiviReports listing
—
https://civicrm.org/blog/dev-team/security-release-civicrm-4726-and-4633-monthly-release-4727
--
Guilhem.
signature.asc
Description: PGP signature
