CIVI-SA-2020-01: Improve Entity Name sanitisation when used as part of API

Published
2020-04-15 12:00
Written by

When processing a CiviCRM API request, the entity name was not properly validated. This could potentially lead to loading an arbitrary file on the server.

Security Risk
Moderately Critical
Vulnerability
Other
Affected Versions

CiviCRM version 5.24.2 and earlier

Fixed Versions

CiviCRM version 5.24.3 and 5.21.3

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Cure53 and Mozilla Open Source Support (MOSS) for reporting the isssue
Tim Otten (CiviCRM) and Seamus Lee (JMA Consulting/CiviCRM) for resolving the issue

References

CIV-01-021