Ben Hubbard one of our Principal Security Consultants has identified security vulnerabilities within the CiviCRM product.
Ben identified two instances of stored Cross-Site Scripting (XSS) within the product, which was then responsibly disclosed to the vendor and has now been fully rectified. Armadillo Sec recommend that any users update to the latest version of CiviCRM to ensure they are protected against this vulnerability.
Vulnerability Acknowledgement 1:
https://civicrm.org/advisory/civi-sa-2020-14-xss-profile-description-field
Vulnerability Acknowledgement 2:
https://civicrm.org/advisory/civi-sa-2020-13-xss-event-summary
Disclosure Timeline
Vulnerability reported: 5th August 2020
Vulnerability resolved: 19th August 2020