CIVI-SA-2020-07: CSRF in Scheduled Jobs

Pubblicato

2020-04-15 12:00

Written by

dev-team

The "Schedule Jobs" page was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into executing a job on the CiviCRM site.

Security Risk

Less Critical

Vulnerability

Cross Site Request Forgery

Affected Versions

CiviCRM version 5.24.2 and earlier

Fixed Versions

CiviCRM version 5.24.3 and 5.21.3

Publication Date

2020-04-15 - 12:00

Solutions

Upgrade to the latest version of CiviCRM

Credits

Mark Burdett (Electronic Frontier Foundation) for reporting the issue.
Seamus Lee (JMA Consulting/CiviCRM), Rich Lott (Artful Robot), Patrick Figel (Greenpeace CEE), and Sean Madsen (Left Join Labs) for resolving the issue.

References

security/core#10

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2020-07: CSRF in Scheduled Jobs

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Lingue

CIVI-SA-2020-07: CSRF in Scheduled Jobs

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM