Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.
Analysis
A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.
Technical ContextAI
Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.
RemediationAI
Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.
Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in CiviCRM before 4.2.12, 4.3.x before 4.3.7,
Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in
PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue
Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to exe
The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass
CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restricti
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.33.2+dfsg1-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-200269