CIVI-SA-2022-07: APIv3 Access Bypass

A vulnerability in processing APIv3 AJAX requests could allow a malicious request to bypass permission checks.

Security Risk

Highly Critical

Vulnerability

Access Bypass

Affected Versions

5.50.beta1, 5.49.3, and 5.45.5 (and earlier)

Fixed Versions

5.50.0, 5.49.4, and 5.45.6 ESR (and later)

Publication Date

2022-06-01 - 12:00

Solutions

Any ONE of the following:

(Recommended) Upgrade to CiviCRM v5.50.0, v5.49.4, or 5.45.6 ESR
(Alternative Mitigation) Ensure that permissions access AJAX API and access CiviCRM are only available to trusted, administrative users. (NOTE: This mitigation is only practical on small, simple sites. It may be impractical if the site has semi-trusted, backend users or if it has any extensions that use APIv3 AJAX.)

Credits

Artful Robot - Rich Lott; JMA Consulting - Seamus Lee; Wikimedia Foundation - Eileen McNaughton; CiviCRM - Coleman Watts, Tim Otten

References

security/core#116

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM