CiviCRM Security Release (5.28.1, 5.27.5 ESR) - Multiple advisories

There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:

CiviCRM v5.28.1 CiviCRM v5.27.5 ESR

Below are the security advisories:

CIVI-SA-2020-09: Privilege Escalation via Smart Groups CIVI-SA-2020-10: Cross Site Scripting in Activity Details CIVI-SA-2020-11: CSRF on CKEditor Configuration CIVI-SA-2020-12: XSS in CKEditor Configuration CIVI-SA-2020-13: XSS in Event Summary CIVI-SA-2020-14: XSS in Profile Description CIVI-SA-2020-15: Persistant XSS in Contact Activity Tab CIVI-SA-2020-16: jQuery CVE-202-11022, CVE-2020-11023 CIVI-SA-2020-17: Harden Per-Session Private Key CIVI-SA-2020-18: HTML Injection via Error Message CIVI-SA-2020-19: Edit Permission for Recurring Contributions

A couple of other issues have been fixed in these releases. Please see the official announcement and release notes.

Upgrade now for the most stable CiviCRM experience:

To download CiviCRM 5.28.1: https://civicrm.org/download To download CiviCRM 5.27.5 ESR version: https://civicrm.org/esr

Click this link to unsubscribe from this mailing list. Click this link to opt out of all mail from CiviCRM.org. Our mailing address is:
2367 24th Ave
San Francisco, California 94116
United States