Released March 17, 2021
|Does this version...?|
|Change the database schema?||no|
|Alter the API?||no|
|Require attention to configuration options?||no|
|Fix problems installing or upgrading to a previous version?||yes|
- CIVI-SA-2021-01: Reflected Cross Site Scripting via Uploaded CSVs
- CIVI-SA-2021-02: Web Executable Utility Scripts
- CIVI-SA-2021-03: Cross Site Scripting in "Manage Extensions"
- CIVI-SA-2021-04: Cross Site Scripting in the APIv4 Explorer
- CIVI-SA-2021-05: Reflected Cross Site Scripting in Personal Campaign Pages
- CIVI-SA-2021-06: Timing Attacks Against the Site Key
- CIVI-SA-2021-07: SQL injection in Joomla user integration
CiviCampaign: Fix error when reserving respondents for a survey (#19811)
A common misconfiguration on Drupal 8+ is to omit
enable-patching. This currently manifests as an error about
crm-menubar.css. The change does not fix the misconfiguration, but it makes the error more manageable.
Special support from Deutsche Gesellschaft für Internationale Zusammenarbeit GmbH contributed significantly to this release and other contemporaneous security improvements.
This release was developed by the following authors and reviewers:
Wikimedia Foundation - Eileen McNaughton; Stephen Palmstrom; Semper IT - Karin Gerritsen; Progressive Technology Project - Jamie McClelland; Megaphone Technology Consulting - Jon Goldberg; MJW Consulting - Matthew Wire; MJCO - Mikey O'Toole; JMA Consulting - Seamus Lee, Monish Deb; Fuzion - Luke Stewart; Dmitry Smirnov; Dave D; CiviCRM - Tim Otten, Coleman Watts; Circle Interactive - Pradeep Nayak; Blackfly Solutions - Alan Dixon; Artful Robot - Rich Lott; AGH Strategies - Andrew Hunt
These release notes are edited by Tim Otten and Andrew Hunt. If you'd like to
provide feedback on them, please login to https://chat.civicrm.org/civicrm and