CIVI-SA-2019-20: Privilege Escalation via Leaked Key

Submitted by dev-team on November 20, 2019 - 09:00
Security Risk: 
Critical
Vulnerability: 
Access Bypass
Affected Versions: 
  • CiviCRM versions between 4.7.0 and 5.19.1
Fixed Versions: 
  • CiviCRM 5.19.2 and 5.13.7
Publication Date: 
Wednesday, November 20, 2019
Description: 

The field "api_key" has special security rules when accessed via the API. These rules could potentially be bypassed and lead to privilege escalation.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Coleman Watts of CiviCRM for reporting.

Coleman Watts of CiviCRM, Tim Otten of CiviCRM, and Seamus Lee of Australian Greens for fixing the issue

References: 

security/core#62

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Make your next CiviCRM implementation a Success.
Find an Expert

© 2005 - 2020, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.