CIVI-SA-2024-05: Multiple AJAX End-Points (CSRF)

Multiple AJAX end-points may be vulnerable to Cross Site Request Forgery.

This release updates a large number of older end-points originating circa CiviCRM 1.x-3.x. Detailed severity ratings were not assessed for all these end-points, but several samples were assessed. The severity ranged from "Not Critical" to "Moderately Critical". Thus, the overall issue is classified as "Moderately Critical".

Security Risk

Moderately Critical

Vulnerability

Cross Site Request Forgery

Affected Versions

CiviCRM versions 5.78.1 and earlier

Fixed Versions

CiviCRM versions 5.78.2 and 5.75.4 (ESR)

Publication Date

2024-10-16 - 12:00

Solutions

Upgrade to the latest CiviCRM version

Credits

Reporter: Joe Murray of JMA Consulting
Development/Review: Coleman Watts of CiviCRM; Patrick Figel of Greenpeace Central and Eastern Europe; Seamus Lee of JMA Consulting; Tim Otten of CiviCRM

References

security/core#178

CIVI-SA-2024-05: Multiple AJAX End-Points (CSRF)

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2024-05: Multiple AJAX End-Points (CSRF)

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM