CIVI-SA-2019-20: Privilege Escalation via Leaked Key

Publié
2019-11-20 09:00
Written by

The field "api_key" has special security rules when accessed via the API. These rules could potentially be bypassed and lead to privilege escalation.

Security Risk
Critical
Vulnerability
Access Bypass
Affected Versions
  • CiviCRM versions between 4.7.0 and 5.19.1
Fixed Versions
  • CiviCRM 5.19.2 and 5.13.7
Solutions

Upgrade to the latest version of CiviCRM

Credits

Coleman Watts of CiviCRM for reporting.

Coleman Watts of CiviCRM, Tim Otten of CiviCRM, and Seamus Lee of Australian Greens for fixing the issue

References

security/core#62