Ben Hubbard one of our Principal Security Consultants has identified security vulnerabilities within the CiviCRM product.

Ben identified two instances of stored Cross-Site Scripting (XSS) within the product, which was then responsibly disclosed to the vendor and has now been fully rectified. Armadillo Sec recommend that any users update to the latest version of CiviCRM to ensure they are protected against this vulnerability.

Vulnerability Acknowledgement 1:

https://civicrm.org/advisory/civi-sa-2020-14-xss-profile-description-field

Vulnerability Acknowledgement 2:

https://civicrm.org/advisory/civi-sa-2020-13-xss-event-summary

Disclosure Timeline

Vulnerability reported: 5th August 2020

Vulnerability resolved: 19th August 2020