| 1 | # CiviCRM 5.28.1 |
| 2 | |
| 3 | Released August 19, 2020 |
| 4 | |
| 5 | - **[Security advisories](#security)** |
| 6 | - **[Bugs Resolved](#bugs)** |
| 7 | - **[Credits](#credits)** |
| 8 | |
| 9 | ## <a name="synopsis"></a>Synopsis |
| 10 | |
| 11 | | *Does this version...?* | | |
| 12 | |:--------------------------------------------------------------- |:-------:| |
| 13 | | **Fix security vulnerabilities?** | **yes** | |
| 14 | | Change the database schema? | no | |
| 15 | | Alter the API? | no | |
| 16 | | Require attention to configuration options? | no | |
| 17 | | Fix problems installing or upgrading to a previous version? | no | |
| 18 | | Introduce features? | no | |
| 19 | | **Fix bugs?** | **yes** | |
| 20 | |
| 21 | ## <a name="security"></a>Security advisories |
| 22 | |
| 23 | - **[CIVI-SA-2020-09](https://civicrm.org/advisory/civi-sa-2020-09-privilege-escalation-acl-smart-groups): Privilege Escalation via Smart Groups** |
| 24 | - **[CIVI-SA-2020-10](https://civicrm.org/advisory/civi-sa-2020-10-cross-site-scripting-activity-details): Cross Site Scripting in Activity Details** |
| 25 | - **[CIVI-SA-2020-11](https://civicrm.org/advisory/civi-sa-2020-11-csrf-ckeditor-configuration-form): CSRF on CKEditor Configuration** |
| 26 | - **[CIVI-SA-2020-12](https://civicrm.org/advisory/civi-sa-2020-12-xss-ckeditor-configuration): XSS in CKEditor Configuration** |
| 27 | - **[CIVI-SA-2020-13](https://civicrm.org/advisory/civi-sa-2020-13-xss-event-summary): XSS in Event Summary** |
| 28 | - **[CIVI-SA-2020-14](https://civicrm.org/advisory/civi-sa-2020-14-xss-profile-description-field): XSS in Profile Description** |
| 29 | - **[CIVI-SA-2020-15](https://civicrm.org/advisory/civi-sa-2020-15-persistent-xss-contact-activity-tab): Persistant XSS in Contact Activity Tab** |
| 30 | - **[CIVI-SA-2020-16](https://civicrm.org/advisory/civi-sa-2020-16-jquery-security-update-cve-2020-11022-cve-2020-11023): jQuery CVE-202-11022, CVE-2020-11023** |
| 31 | - **[CIVI-SA-2020-17](https://civicrm.org/advisory/civi-sa-2020-17-harden-session-private-key): Harden Per-Session Private Key** |
| 32 | - **[CIVI-SA-2020-18](https://civicrm.org/advisory/civi-sa-2020-18-html-injection-through-error-message): HTML Injection via Error Message** |
| 33 | - **[CIVI-SA-2020-19](https://civicrm.org/advisory/civi-sa-2020-19-edit-permission-recurring-contributions): Edit Permission for Recurring Contributions** |
| 34 | |
| 35 | ## <a name="bugs"></a>Bugs Resolved |
| 36 | |
| 37 | * **_Activities_: Exporting all activities from a "Find Activity" search as an ACLed user causes DB error ([dev/core#1952](https://lab.civicrm.org/dev/core/-/issues/1952): |
| 38 | [#18017](https://github.com/civicrm/civicrm-core/pull/18017))** |
| 39 | * **_CiviContribute_: Receipts display unlabeled price options as "null" ([dev/core#1936](https://lab.civicrm.org/dev/core/-/issues/1936): |
| 40 | [#18124](https://github.com/civicrm/civicrm-core/pull/18124))** |
| 41 | * **_CiviContribute_: Credit card fields are required even when the amount is 0 ([dev/core#1953](https://lab.civicrm.org/dev/core/-/issues/1953): |
| 42 | [#18144](https://github.com/civicrm/civicrm-core/pull/18144), [#16163](https://github.com/civicrm/civicrm-core/pull/16163), [#18166](https://github.com/civicrm/civicrm-core/pull/16166))** |
| 43 | * **_Dedupe_: Merging contacts with certain "Settings" produces error ([dev/core#1934](https://lab.civicrm.org/dev/core/-/issues/1934): |
| 44 | [#18126](https://github.com/civicrm/civicrm-core/pull/18126))** |
| 45 | |
| 46 | ## <a name="credits"></a>Credits |
| 47 | |
| 48 | This release was developed by the following people, who participated in |
| 49 | various stages of reporting, analysis, development, review, and testing: |
| 50 | |
| 51 | Ben Hubbard - Armadillo Security; Coleman Watts - CiviCRM; Cure53; Dave D; |
| 52 | Dennis Brinkrolf - RIPS Technologies; Eileen McNaughton - Wikipedia |
| 53 | Foundation; Jamie Novick - Compucorp; Jens Schuppe; Jude Hungerford - Asylum |
| 54 | Seekers Center; Karin Gerritsen - Semper IT; Kevin Cristiano - Tadpole |
| 55 | Collective; Mark Rogers; Mozilla Open Source Support (MOSS); Patrick Figel - |
| 56 | Greenpeace CEE; Pradeep Nayak - Circle Interactive; Rich Lott - Artful |
| 57 | Robot; Seamus Lee - CiviCRM and JMA Consulting; Sean Colsen - Left Join |
| 58 | Labs; Shitij Gugnai - Compucorp; Tim Otten - CiviCRM |