Published
2019-11-20 09:00
The field "api_key" has special security rules when accessed via the API. These rules could potentially be bypassed and lead to privilege escalation.
Security Risk
Critical
Vulnerability
Access Bypass
Affected Versions
- CiviCRM versions between 4.7.0 and 5.19.1
Fixed Versions
- CiviCRM 5.19.2 and 5.13.7
Solutions
Upgrade to the latest version of CiviCRM
Credits
Coleman Watts of CiviCRM for reporting.
Coleman Watts of CiviCRM, Tim Otten of CiviCRM, and Seamus Lee of Australian Greens for fixing the issue
References
security/core#62
