Released Nov 1, 2017
- CIVI-SA-2017-08 XSS in HTML link attributes
- CIVI-SA-2017-09 Shell injection vulerabilty in Smarty
- CIVI-SA-2017-10 XSS scripting in preimum product name
- CIVI-SA-2017-11 XSS in dedupe rules
- CIVI-SA-2017-12 XSS in tag description
- CIVI-SA-2017-13 SelectedChild URL parameter not properly validated
- CIVI-SA-2017-14 XSS in Search Critiera Description
- CIVI-SA-2017-15 Extension key not properly validated
- CIVI-SA-2017-16 SQL injection risk in CiviReports
This release was developed by the following code authors:
Australian Greens - Seamus Lee; Left Join Labs - Sean Madsen
Most authors also reviewed code for this release; in addition, the following reviewers contributed their comments:
CiviCRM - Coleman Watts; JMA Consulting - Monish Deb; Wikimedia Foundation - Eileen McNaughton