CIVI-SA-2024-05: Multiple AJAX End-Points (CSRF)

Publicado
2024-10-16 12:00
Written by

Multiple AJAX end-points may be vulnerable to Cross Site Request Forgery.

This release updates a large number of older end-points originating circa CiviCRM 1.x-3.x. Detailed severity ratings were not assessed for all these end-points, but several samples were assessed. The severity ranged from "Not Critical" to "Moderately Critical". Thus, the overall issue is classified as "Moderately Critical".

Security Risk
Moderately Critical
Vulnerability
Cross Site Request Forgery
Affected Versions

CiviCRM versions 5.78.1 and earlier

Fixed Versions

CiviCRM versions 5.78.2 and 5.75.4 (ESR)

Publication Date
Solutions

Upgrade to the latest CiviCRM version

Credits
  • Reporter: Joe Murray of JMA Consulting
  • Development/Review: Coleman Watts of CiviCRM; Patrick Figel of Greenpeace Central and Eastern Europe; Seamus Lee of JMA Consulting; Tim Otten of CiviCRM
References

security/core#178