CVE-2020-36389 — Cross-Site Request Forgery in Civicrm

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 38.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedJun 17

Latest updateMay 24

Description

In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

▶debiandebian/civicrm< civicrm 5.28.4+dfsg1-1 (bullseye)

▶NVDcivicrm/civicrm< 5.27.5+1

▶Debiancivicrm/civicrm< 5.28.4+dfsg1-1

GHSA

GHSA-pxgv-6gmm-ggxw: In CiviCRM before 5↗2022-05-24

▶

OSV

CVE-2020-36389: In CiviCRM before 5↗2021-06-17

▶

Debian

CVE-2020-36389: civicrm - In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configu...↗2020

▶