A vulnerability in processing APIv3 AJAX requests could allow a malicious request to bypass permission checks.
5.50.beta1, 5.49.3, and 5.45.5 (and earlier)
5.50.0, 5.49.4, and 5.45.6 ESR (and later)
Any ONE of the following:
- (Recommended) Upgrade to CiviCRM v5.50.0, v5.49.4, or 5.45.6 ESR
- (Alternative Mitigation) Ensure that permissions
access AJAX API
andaccess CiviCRM
are only available to trusted, administrative users. (NOTE: This mitigation is only practical on small, simple sites. It may be impractical if the site has semi-trusted, backend users or if it has any extensions that use APIv3 AJAX.)
Artful Robot - Rich Lott; JMA Consulting - Seamus Lee; Wikimedia Foundation - Eileen McNaughton; CiviCRM - Coleman Watts, Tim Otten
security/core#116