Debian Civicrm vulnerabilities

CVE-2025-65187 [MEDIUM] CVE-2025-65187: civicrm - A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the... A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed. Scope: local bullseye: open

CVE-2025-3573 [MEDIUM] CVE-2025-3573: civicrm - Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-... Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary. Scope: local bullseye: open

CVE-2023-28115 [CRITICAL] CVE-2023-28115: civicrm - Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a ur... Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unser

CVE-2023-25440 [MEDIUM] CVE-2023-25440: civicrm - Stored Cross Site Scripting (XSS) vulnerability in the add contact function Civi... Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field. Scope: local bullseye: open

CVE-2021-21252 [MEDIUM] CVE-2021-21252: civicrm - The jQuery Validation Plugin provides drop-in validation for your existing forms... The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3. Scope: local bullseye: open

CVE-2020-36388 [HIGH] CVE-2020-36388: civicrm - In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be a... In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive. Scope: local bullseye: resolved (fixed in 5.24.5+dfsg1-1)

CVE-2020-36389 [MEDIUM] CVE-2020-36389: civicrm - In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configu... In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF. Scope: local bullseye: resolved (fixed in 5.28.4+dfsg1-1)

CVE-2018-1999022 [CRITICAL] CVE-2018-1999022: civicrm - PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerabi... PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_QuickForm_element's _findValue method, HTML_QuickForm_element's _prepareValue method. that can result in Possible information disclosure, possibl

CVE-2013-4661 [MEDIUM] CVE-2013-4661: civicrm - CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce ro... CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" p

CVE-2013-4662 [MEDIUM] CVE-2013-4662: civicrm - The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allo... The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick. Scope: local bullseye: resolved

CVE-2013-5957 [HIGH] CVE-2013-5957: civicrm - Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in Civ... Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in CiviCRM before 4.2.12, 4.3.x before 4.3.7, and 4.4.x before 4.4.beta4 allow remote attackers to execute arbitrary SQL commands via the _value parameter to (1) ajax/jqState or (2) ajax/jqcounty. Scope: local bullseye: resolved

CVE-2011-5239 [MEDIUM] CVE-2011-5239: civicrm - CiviCRM 4.0.5 and 4.1.1 does not verify that the server hostname matches a domai... CiviCRM 4.0.5 and 4.1.1 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Scope: local bullseye: resolved