CIVI-SA-2020-11: CSRF on CKEditor Configuration Form

Published
2020-08-19 09:00
Written by

CiviCRM did not provide sufficient protection on the CKEditor configuration form, which could allow a malicious third-party to trick a CiviCRM administrator into changing the configuration.

Note: This form had another vulnerability in the same version. The risk from two overlapping vulnerabilities may be greater than the risk of each individually.

Security Risk
Critical
Vulnerability
Cross Site Request Forgery
Affected Versions

CiviCRM version 5.28.0 and earlier

Fixed Versions

CiviCRM version 5.28.1 and 5.27.5 ESR

Publication Date
Solutions

Upgrade to the latest version of CiviCRM or use a different editor other than CKEdtior included with Core

Credits

Dennis Brinkrolf of RIPS Technologies and Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Seamus Lee and Coleman Watts for fixing the issue

References

MOSS CIV-01-016
securirty/core#74