CIVI-SA-2023-14: Contact Image CSRF

Publié
2023-09-06 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

Some administrative actions for "Contact" profile-images lacked sufficient validation, making them vulnerable to a cross-site request forgery (CSRF).

Security Risk
Moderately Critical
Vulnerability
Cross Site Request Forgery
Affected Versions

CiviCRM version 5.64.3 and earlier

Fixed Versions

CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)

Publication Date
Solutions

Upgrade to the fixed version of CiviCRM

Credits

Ranjit Pahan
Coleman Watts of CiviCRM.
Seamus Lee of JMA Consulting/CiviCRM.

References

security/core#126
huntr.dev: d0896494-0642-40d2-8d49-8cf6c7d6e5c0