| 1 | # CiviCRM 5.10.3 |
| 2 | |
| 3 | Released February 20, 2019 |
| 4 | |
| 5 | - **[Synopsis](#synopsis)** |
| 6 | - **[Security advisories](#security)** |
| 7 | - **[Bugs resolved](#bugs)** |
| 8 | - **[Feedback](#feedback)** |
| 9 | |
| 10 | ## <a name="synopsis"></a>Synopsis |
| 11 | |
| 12 | | *Does this version...?* | | |
| 13 | |:--------------------------------------------------------------- |:-------:| |
| 14 | | **Fix security vulnerabilities?** | **yes** | |
| 15 | | Change the database schema? | no | |
| 16 | | Alter the API? | no | |
| 17 | | Require attention to configuration options? | no | |
| 18 | | Fix problems installing or upgrading to a previous version? | no | |
| 19 | | Introduce features? | no | |
| 20 | | **Fix bugs?** | **yes** | |
| 21 | |
| 22 | ## <a name="security"></a>Security advisories |
| 23 | - **[CIVI-SA-2019-01](https://civicrm.org/advisory/civi-sa-2019-01-weak-access-control-for-file-attachments)**: |
| 24 | Weak access-control for file attachments |
| 25 | - **[CIVI-SA-2019-02](https://civicrm.org/advisory/civi-sa-2019-02-sqli-in-prevnext-cache)**: |
| 26 | SQL Injection in "PrevNext" Cache |
| 27 | - **[CIVI-SA-2019-03](https://civicrm.org/advisory/civi-sa-2019-03-xss-in-logging-details-report)**: |
| 28 | Cross-Site Scripting in "Logging Details" Report |
| 29 | - **[CIVI-SA-2019-04](https://civicrm.org/advisory/civi-sa-2019-04-sqli-in-group-tag-filters)**: |
| 30 | SQL Injection in Group and Tag Filters |
| 31 | - **[CIVI-SA-2019-05](https://civicrm.org/advisory/civi-sa-2019-05-xss-in-new-pledge-form)**: |
| 32 | Cross-Site Scripting in "New Pledge" Form |
| 33 | - **[CIVI-SA-2019-06](https://civicrm.org/advisory/civi-sa-2019-06-xss-in-contact-entity-reference-fields)**: |
| 34 | Cross-Site Scripting in Contact Reference Fields |
| 35 | - **[CIVI-SA-2019-07](https://civicrm.org/advisory/civi-sa-2019-07-limit-cross-domain-execution-by-jquery)**: |
| 36 | Limit Cross-Domain Execution by jQuery |
| 37 | |
| 38 | ## <a name="bugs"></a>Bugs resolved |
| 39 | |
| 40 | ### Core CiviCRM |
| 41 | |
| 42 | - **[dev/core#695](https://lab.civicrm.org/dev/core/issues/695) Custom Search |
| 43 | results selection failure and |
| 44 | [dev/core#679](https://lab.civicrm.org/dev/core/issues/679) Groups and Tags |
| 45 | affect search results when using Search Builder |
| 46 | ([13533](https://github.com/civicrm/civicrm-core/pull/13533))** |
| 47 | |
| 48 | This resolves some search regressions introduced in 5.9.0 relating to caching |
| 49 | and custom searches. |
| 50 | |
| 51 | - **[dev/core#737](https://lab.civicrm.org/dev/core/issues/737) SMS not sent if |
| 52 | "Send Immediately" option is chosen on the last screen |
| 53 | ([13641](https://github.com/civicrm/civicrm-core/pull/13641))** |
| 54 | |
| 55 | This resolves an issue where if you selected to send a Bulk SMS immediately |
| 56 | it would not be sent because the scheduled date was set to `NULL` rather than |
| 57 | the current date and time. |
| 58 | |
| 59 | ## <a name="feedback"></a>Feedback |
| 60 | |
| 61 | Security release notes are edited by Seamus Lee and Tim Otten, and release |
| 62 | notes generally are edited by Andrew Hunt. If you'd like to provide |
| 63 | feedback on them, please login to https://chat.civicrm.org/civicrm and |
| 64 | contact `@agh1`. |