Security Risk:
Critical
Vulnerability:
Access Bypass
Affected Versions:
- CiviCRM versions between 4.7.0 and 5.19.1
Fixed Versions:
- CiviCRM 5.19.2 and 5.13.7
Publication Date:
Wednesday, November 20, 2019
Description:
The field "api_key" has special security rules when accessed via the API. These rules could potentially be bypassed and lead to privilege escalation.
Solutions:
Upgrade to the latest version of CiviCRM
Credits:
Coleman Watts of CiviCRM for reporting.
Coleman Watts of CiviCRM, Tim Otten of CiviCRM, and Seamus Lee of Australian Greens for fixing the issue
References:
security/core#62