CIVI-SA-2019-24 CSRF in APIv4 AJAX end point

Published
2019-12-04 09:00
Written by

The AJAX end-point for APIv4 was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into performing privileged actions on the CiviCRM site.

Security Risk
Critical
Vulnerability
Cross Site Request Forgery
Affected Versions
  • CiviCRM 5.19.0 - 5.19.3
  • Any previous version of CiviCRM - with extension "org.civicrm.api4" before 4.5.4 or 4.4.5
Fixed Versions
  • CiviCRM 5.20.0+
  • CiviCRM 5.19.4+
  • CiviCRM 5.13.8+ - with bundled extension "org.civicrm.api4" (v4.4.5+) Extended Security Release
Solutions

Any ONE of the following is sufficient:

  • (For CiviCRM 5.19.x) Upgrade to a secure version of CiviCRM
  • (For CiviCRM <= 5.18) Upgrade to a secure version of the "org.civicrm.api4" extension
  • (For CiviCRM < =5.18) Disable the "org.civicrm.api4" extension
Credits

Patrick Figel from Greenpeace CEE for reporting the issue

Seamus Lee from Australian Greens for fixing the issue

References

security/core#71