In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
References
Link | Resource |
---|---|
https://civicrm.org/advisory/civi-sa-2020-11-csrf-ckeditor-configuration-form | Vendor Advisory |
https://blog.sonarsource.com/civicrm-code-execution-vulnerability-chain-explained/ | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2021-06-17 12:15
Updated : 2023-02-03 11:12
NVD link : CVE-2020-36389
Mitre link : CVE-2020-36389
JSON object : View
CWE
CWE-352
Cross-Site Request Forgery (CSRF)
Products Affected
civicrm
- civicrm