Daniel Compton our Managing Director has identified security vulnerabilities within the CiviCRM product.

Daniel identified two instances of stored Cross-Site Scripting (XSS) within the product, which was then responsibly disclosed to the vendor and has now been fully rectified. Armadillo Sec recommend that any users update to the latest version of CiviCRM to ensure they are protected against this vulnerability.

Vulnerability Acknowledgement 1:

https://civicrm.org/advisory/civiext-sa-2019-02-xss-in-civicase-v5-extension

Vulnerability Acknowledgement 2:

https://civicrm.org/advisory/civi-sa-2019-22-xss-in-dashboard-titles 

Disclosure Timeline

Vulnerability reported: 17th July 2019

Vulnerability resolved: 20th November 2019