5.28.1.md

CiviCRM 5.28.1

Released August 19, 2020

• Security advisories
• Bugs Resolved
• Credits

Synopsis

Does this version...?
Fix security vulnerabilities?	yes
Change the database schema?	no
Alter the API?	no
Require attention to configuration options?	no
Fix problems installing or upgrading to a previous version?	no
Introduce features?	no
Fix bugs?	yes

Security advisories

• CIVI-SA-2020-09: Privilege Escalation via Smart Groups
• CIVI-SA-2020-10: Cross Site Scripting in Activity Details
• CIVI-SA-2020-11: CSRF on CKEditor Configuration
• CIVI-SA-2020-12: XSS in CKEditor Configuration
• CIVI-SA-2020-13: XSS in Event Summary
• CIVI-SA-2020-14: XSS in Profile Description
• CIVI-SA-2020-15: Persistant XSS in Contact Activity Tab
• CIVI-SA-2020-16: jQuery CVE-202-11022, CVE-2020-11023
• CIVI-SA-2020-17: Harden Per-Session Private Key
• CIVI-SA-2020-18: HTML Injection via Error Message
• CIVI-SA-2020-19: Edit Permission for Recurring Contributions

Bugs Resolved

• Activities: Exporting all activities from a "Find Activity" search as an ACLed user causes DB error (dev/core#1952: #18017)
• CiviContribute: Receipts display unlabeled price options as "null" (dev/core#1936: #18124)
• CiviContribute: Credit card fields are required even when the amount is 0 (dev/core#1953: #18144, #16163, #18166)
• Dedupe: Merging contacts with certain "Settings" produces error (dev/core#1934: #18126)

Credits

This release was developed by the following people, who participated in various stages of reporting, analysis, development, review, and testing:

Ben Hubbard - Armadillo Security; Coleman Watts - CiviCRM; Cure53; Dave D; Dennis Brinkrolf - RIPS Technologies; Eileen McNaughton - Wikipedia Foundation; Jamie Novick - Compucorp; Jens Schuppe; Jude Hungerford - Asylum Seekers Center; Karin Gerritsen - Semper IT; Kevin Cristiano - Tadpole Collective; Mark Rogers; Mozilla Open Source Support (MOSS); Patrick Figel - Greenpeace CEE; Pradeep Nayak - Circle Interactive; Rich Lott - Artful Robot; Seamus Lee - CiviCRM and JMA Consulting; Sean Colsen - Left Join Labs; Shitij Gugnai - Compucorp; Tim Otten - CiviCRM