CIVI-SA-2019-24 CSRF in APIv4 AJAX end point

The AJAX end-point for APIv4 was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into performing privileged actions on the CiviCRM site.

Security Risk

Critical

Vulnerability

Cross Site Request Forgery

Affected Versions

CiviCRM 5.19.0 - 5.19.3
Any previous version of CiviCRM - with extension "org.civicrm.api4" before 4.5.4 or 4.4.5

Fixed Versions

CiviCRM 5.20.0+
CiviCRM 5.19.4+
CiviCRM 5.13.8+ - with bundled extension "org.civicrm.api4" (v4.4.5+) Extended Security Release

Solutions

Any ONE of the following is sufficient:

(For CiviCRM 5.19.x) Upgrade to a secure version of CiviCRM
(For CiviCRM <= 5.18) Upgrade to a secure version of the "org.civicrm.api4" extension
(For CiviCRM < =5.18) Disable the "org.civicrm.api4" extension

Credits

Patrick Figel from Greenpeace CEE for reporting the issue

Seamus Lee from Australian Greens for fixing the issue

References

security/core#71

CIVI-SA-2019-24 CSRF in APIv4 AJAX end point

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2019-24 CSRF in APIv4 AJAX end point

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM