Security Risk: 
Critical
Vulnerability: 
Cross Site Request Forgery
Affected Versions: 
  • CiviCRM 5.19.0 - 5.19.3
  • Any previous version of CiviCRM - with extension "org.civicrm.api4" before 4.5.4 or 4.4.5
Fixed Versions: 
  • CiviCRM 5.20.0+
  • CiviCRM 5.19.4+
  • CiviCRM 5.13.8+ - with bundled extension "org.civicrm.api4" (v4.4.5+) Extended Security Release
Publication Date: 
Wednesday, December 4, 2019
Description: 

The AJAX end-point for APIv4 was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into performing privileged actions on the CiviCRM site.

Solutions: 

Any ONE of the following is sufficient:

  • (For CiviCRM 5.19.x) Upgrade to a secure version of CiviCRM
  • (For CiviCRM <= 5.18) Upgrade to a secure version of the "org.civicrm.api4" extension
  • (For CiviCRM < =5.18) Disable the "org.civicrm.api4" extension
Credits: 

Patrick Figel from Greenpeace CEE for reporting the issue

Seamus Lee from Australian Greens for fixing the issue

References: 

security/core#71