# CiviCRM 5.28.1 Released August 19, 2020 - **[Security advisories](#security)** - **[Bugs Resolved](#bugs)** - **[Credits](#credits)** ## <a name="synopsis"></a>Synopsis | *Does this version...?* | | |:--------------------------------------------------------------- |:-------:| | **Fix security vulnerabilities?** | **yes** | | Change the database schema? | no | | Alter the API? | no | | Require attention to configuration options? | no | | Fix problems installing or upgrading to a previous version? | no | | Introduce features? | no | | **Fix bugs?** | **yes** | ## <a name="security"></a>Security advisories - **[CIVI-SA-2020-09](https://civicrm.org/advisory/civi-sa-2020-09-privilege-escalation-acl-smart-groups): Privilege Escalation via Smart Groups** - **[CIVI-SA-2020-10](https://civicrm.org/advisory/civi-sa-2020-10-cross-site-scripting-activity-details): Cross Site Scripting in Activity Details** - **[CIVI-SA-2020-11](https://civicrm.org/advisory/civi-sa-2020-11-csrf-ckeditor-configuration-form): CSRF on CKEditor Configuration** - **[CIVI-SA-2020-12](https://civicrm.org/advisory/civi-sa-2020-12-xss-ckeditor-configuration): XSS in CKEditor Configuration** - **[CIVI-SA-2020-13](https://civicrm.org/advisory/civi-sa-2020-13-xss-event-summary): XSS in Event Summary** - **[CIVI-SA-2020-14](https://civicrm.org/advisory/civi-sa-2020-14-xss-profile-description-field): XSS in Profile Description** - **[CIVI-SA-2020-15](https://civicrm.org/advisory/civi-sa-2020-15-persistent-xss-contact-activity-tab): Persistant XSS in Contact Activity Tab** - **[CIVI-SA-2020-16](https://civicrm.org/advisory/civi-sa-2020-16-jquery-security-update-cve-2020-11022-cve-2020-11023): jQuery CVE-202-11022, CVE-2020-11023** - **[CIVI-SA-2020-17](https://civicrm.org/advisory/civi-sa-2020-17-harden-session-private-key): Harden Per-Session Private Key** - **[CIVI-SA-2020-18](https://civicrm.org/advisory/civi-sa-2020-18-html-injection-through-error-message): HTML Injection via Error Message** - **[CIVI-SA-2020-19](https://civicrm.org/advisory/civi-sa-2020-19-edit-permission-recurring-contributions): Edit Permission for Recurring Contributions** ## <a name="bugs"></a>Bugs Resolved * **_Activities_: Exporting all activities from a "Find Activity" search as an ACLed user causes DB error ([dev/core#1952](https://lab.civicrm.org/dev/core/-/issues/1952): [#18017](https://github.com/civicrm/civicrm-core/pull/18017))** * **_CiviContribute_: Receipts display unlabeled price options as "null" ([dev/core#1936](https://lab.civicrm.org/dev/core/-/issues/1936): [#18124](https://github.com/civicrm/civicrm-core/pull/18124))** * **_CiviContribute_: Credit card fields are required even when the amount is 0 ([dev/core#1953](https://lab.civicrm.org/dev/core/-/issues/1953): [#18144](https://github.com/civicrm/civicrm-core/pull/18144), [#16163](https://github.com/civicrm/civicrm-core/pull/16163), [#18166](https://github.com/civicrm/civicrm-core/pull/16166))** * **_Dedupe_: Merging contacts with certain "Settings" produces error ([dev/core#1934](https://lab.civicrm.org/dev/core/-/issues/1934): [#18126](https://github.com/civicrm/civicrm-core/pull/18126))** ## <a name="credits"></a>Credits This release was developed by the following people, who participated in various stages of reporting, analysis, development, review, and testing: Ben Hubbard - Armadillo Security; Coleman Watts - CiviCRM; Cure53; Dave D; Dennis Brinkrolf - RIPS Technologies; Eileen McNaughton - Wikipedia Foundation; Jamie Novick - Compucorp; Jens Schuppe; Jude Hungerford - Asylum Seekers Center; Karin Gerritsen - Semper IT; Kevin Cristiano - Tadpole Collective; Mark Rogers; Mozilla Open Source Support (MOSS); Patrick Figel - Greenpeace CEE; Pradeep Nayak - Circle Interactive; Rich Lott - Artful Robot; Seamus Lee - CiviCRM and JMA Consulting; Sean Colsen - Left Join Labs; Shitij Gugnai - Compucorp; Tim Otten - CiviCRM