CIVI-SA-2019-24 CSRF in APIv4 AJAX end point

2019-12-04 09:00
Written by

The AJAX end-point for APIv4 was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into performing privileged actions on the CiviCRM site.

Security Risk
Cross Site Request Forgery
Affected Versions
  • CiviCRM 5.19.0 - 5.19.3
  • Any previous version of CiviCRM - with extension "org.civicrm.api4" before 4.5.4 or 4.4.5
Fixed Versions
  • CiviCRM 5.20.0+
  • CiviCRM 5.19.4+
  • CiviCRM 5.13.8+ - with bundled extension "org.civicrm.api4" (v4.4.5+) Extended Security Release

Any ONE of the following is sufficient:

  • (For CiviCRM 5.19.x) Upgrade to a secure version of CiviCRM
  • (For CiviCRM <= 5.18) Upgrade to a secure version of the "org.civicrm.api4" extension
  • (For CiviCRM < =5.18) Disable the "org.civicrm.api4" extension

Patrick Figel from Greenpeace CEE for reporting the issue

Seamus Lee from Australian Greens for fixing the issue