CIVI-SA-2020-11: CSRF on CKEditor Configuration Form

2020-08-19 09:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

CiviCRM did not provide sufficient protection on the CKEditor configuration form, which could allow a malicious third-party to trick a CiviCRM administrator into changing the configuration.

Note: This form had another vulnerability in the same version. The risk from two overlapping vulnerabilities may be greater than the risk of each individually.

Security Risk
Cross Site Request Forgery
Affected Versions

CiviCRM version 5.28.0 and earlier

Fixed Versions

CiviCRM version 5.28.1 and 5.27.5 ESR

Publication Date

Upgrade to the latest version of CiviCRM or use a different editor other than CKEdtior included with Core


Dennis Brinkrolf of RIPS Technologies and Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Seamus Lee and Coleman Watts for fixing the issue


MOSS CIV-01-016