Civicrm

Civicrm

10 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2025-65187

  • EPSS 0.03%
  • Veröffentlicht 02.12.2025 00:00:00
  • Zuletzt bearbeitet 02.12.2025 20:15:52

A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.

5.4

CVE-2023-25440

Exploit
  • EPSS 0.2%
  • Veröffentlicht 23.05.2023 01:15:09
  • Zuletzt bearbeitet 31.01.2025 14:15:29

Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.

8.8

CVE-2020-36388

Exploit
  • EPSS 0.59%
  • Veröffentlicht 17.06.2021 19:15:07
  • Zuletzt bearbeitet 21.11.2024 05:29:23

In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.

4.3

CVE-2020-36389

Exploit
  • EPSS 0.41%
  • Veröffentlicht 17.06.2021 19:15:07
  • Zuletzt bearbeitet 21.11.2024 05:29:23

In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.

9.8

CVE-2018-1999022

  • EPSS 1.4%
  • Veröffentlicht 23.07.2018 16:29:00
  • Zuletzt bearbeitet 21.11.2024 03:57:04

PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_QuickForm_element's _findValue meth...

4.3

CVE-2013-1636

Exploit
  • EPSS 10.32%
  • Veröffentlicht 12.03.2014 14:55:26
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4...

4.9

CVE-2013-4661

  • EPSS 0.17%
  • Veröffentlicht 29.01.2014 18:55:26
  • Zuletzt bearbeitet 11.04.2025 00:51:21

CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended a...

6.5

CVE-2013-4662

  • EPSS 0.13%
  • Veröffentlicht 29.01.2014 18:55:26
  • Zuletzt bearbeitet 11.04.2025 00:51:21

The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.g...

7.5

CVE-2013-5957

Exploit
  • EPSS 0.36%
  • Veröffentlicht 27.11.2013 18:55:04
  • Zuletzt bearbeitet 11.04.2025 00:51:21

Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in CiviCRM before 4.2.12, 4.3.x before 4.3.7, and 4.4.x before 4.4.beta4 allow remote attackers to execute arbitrary SQL commands via the _value parameter to (1) ajax/jqState o...

5.8

CVE-2011-5239

  • EPSS 0.19%
  • Veröffentlicht 06.11.2012 12:21:26
  • Zuletzt bearbeitet 11.04.2025 00:51:21

CiviCRM 4.0.5 and 4.1.1 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary ...