Civicrm: >> Civicrm >> 5.23.0 Security Vulnerabilities
A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.
CVSS Score
6.1
EPSS Score
0.002
Published
2025-12-02
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
CVSS Score
8.8
EPSS Score
0.015
Published
2021-06-17