CIVI-SA-2020-07: CSRF in Scheduled Jobs

Published
2020-04-15 12:00
Written by

The "Schedule Jobs" page was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into executing a job on the CiviCRM site.

Security Risk
Less Critical
Vulnerability
Cross Site Request Forgery
Affected Versions

CiviCRM version 5.24.2 and earlier

Fixed Versions

CiviCRM version 5.24.3 and 5.21.3

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Mark Burdett (Electronic Frontier Foundation) for reporting the issue.
Seamus Lee (JMA Consulting/CiviCRM), Rich Lott (Artful Robot), Patrick Figel (Greenpeace CEE), and Sean Madsen (Left Join Labs) for resolving the issue.

References

security/core#10