# CiviCRM 5.10.3

Released February 20, 2019

- **[Synopsis](#synopsis)**
- **[Security advisories](#security)**
- **[Bugs resolved](#bugs)**
- **[Feedback](#feedback)**

## <a name="synopsis"></a>Synopsis

| *Does this version...?*                                         |         |
|:--------------------------------------------------------------- |:-------:|
| **Fix security vulnerabilities?**                               | **yes** |
| Change the database schema?                                     |   no    |
| Alter the API?                                                  |   no    |
| Require attention to configuration options?                     |   no    |
| Fix problems installing or upgrading to a previous version?     |   no    |
| Introduce features?                                             |   no    |
| **Fix bugs?**                                                   | **yes** |

## <a name="security"></a>Security advisories
- **[CIVI-SA-2019-01](https://civicrm.org/advisory/civi-sa-2019-01-weak-access-control-for-file-attachments)**:
  Weak access-control for file attachments
- **[CIVI-SA-2019-02](https://civicrm.org/advisory/civi-sa-2019-02-sqli-in-prevnext-cache)**:
  SQL Injection in "PrevNext" Cache
- **[CIVI-SA-2019-03](https://civicrm.org/advisory/civi-sa-2019-03-xss-in-logging-details-report)**:
  Cross-Site Scripting in "Logging Details" Report
- **[CIVI-SA-2019-04](https://civicrm.org/advisory/civi-sa-2019-04-sqli-in-group-tag-filters)**:
  SQL Injection in Group and Tag Filters
- **[CIVI-SA-2019-05](https://civicrm.org/advisory/civi-sa-2019-05-xss-in-new-pledge-form)**:
  Cross-Site Scripting in "New Pledge" Form
- **[CIVI-SA-2019-06](https://civicrm.org/advisory/civi-sa-2019-06-xss-in-contact-entity-reference-fields)**:
  Cross-Site Scripting in Contact Reference Fields
- **[CIVI-SA-2019-07](https://civicrm.org/advisory/civi-sa-2019-07-limit-cross-domain-execution-by-jquery)**:
  Limit Cross-Domain Execution by jQuery

## <a name="bugs"></a>Bugs resolved

### Core CiviCRM

- **[dev/core#695](https://lab.civicrm.org/dev/core/issues/695) Custom Search
  results selection failure and
  [dev/core#679](https://lab.civicrm.org/dev/core/issues/679) Groups and Tags
  affect search results when using Search Builder
  ([13533](https://github.com/civicrm/civicrm-core/pull/13533))**

  This resolves some search regressions introduced in 5.9.0 relating to caching
  and custom searches.

- **[dev/core#737](https://lab.civicrm.org/dev/core/issues/737) SMS not sent if
  "Send Immediately" option is chosen on the last screen
  ([13641](https://github.com/civicrm/civicrm-core/pull/13641))**

  This resolves an issue where if you selected to send a Bulk SMS immediately
  it would not be sent because the scheduled date was set to `NULL` rather than
  the current date and time.

## <a name="feedback"></a>Feedback

Security release notes are edited by Seamus Lee and Tim Otten, and release
notes generally are edited by Andie Hunt.  If you'd like to provide
feedback on them, please login to https://chat.civicrm.org/civicrm and
contact `@agh1`.