CIVI-SA-2023-08: KCFinder XSS

Pubblicato
2023-09-06 12:00
Written by

KCFinder provides a file-management dialog for CKEditor 4. It included two vulnerabilities:

  1. It allowed a "reflected" cross-site scripting (XSS) attack.
  2. It bypassed a CiviCRM policy option which limits file-uploads. (This bypass was still subject to other restrictions. The likely impact is to allow a "stored" XSS attack. However, it is possible for there to be other impacts.)
Security Risk
Moderately Critical
Vulnerability
Access Bypass
Cross Site Scripting
Affected Versions

CiviCRM version 5.64.3 and earlier

Fixed Versions

CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)

Publication Date
Solutions

Upgrade to the fixed version of CiviCRM

Credits

Dennis Brinkrolf of RIPS Technologies / Cure53 / Mozilla Open Source Support (MOSS).
Seamus Lee of JMA Consulting/CiviCRM.
Tim Otten of CiviCRM.