CVE-2020-36389

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-36389

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36389.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-36389

Aliases

BIT-civicrm-2020-36389

Downstream

DEBIAN-CVE-2020-36389

UBUNTU-CVE-2020-36389

Published

2021-06-17T19:15:07.827Z

Modified

2026-04-10T04:19:10.408207Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.

References

Affected packages

Git / github.com/civicrm/civicrm-core

Affected ranges

Type

GIT

Repo

https://github.com/civicrm/civicrm-core

Events

Introduced

Fixed

be989a7051c7620136c4e6dbdb128f55d3b2b5f9

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.28.1"
        }
    ]
}

Affected versions

4.*

4.3.beta2

4.3.beta3

4.3.beta4

4.3.beta5

4.4.alpha1

4.4.alpha2

4.4.alpha3

4.4.beta1

4.4.beta2

4.4.beta3

4.4.beta4

4.5.alpha1

4.5.alpha2

4.5.beta1

4.5.beta2

4.5.beta3

4.5.beta4

4.5.beta5

4.5.beta6

4.5.beta7

4.5.beta8

4.6.alpha1

4.6.alpha2

4.6.alpha3

4.6.alpha4

4.6.alpha5

4.6.alpha6

4.6.alpha7

4.6.beta1

4.6.beta2

4.7.0

4.7.1

4.7.10-pre1

4.7.2

4.7.3

4.7.4

4.7.5

4.7.6

4.7.alpha1

4.7.alpha2

4.7.alpha3

4.7.alpha4

4.7.alpha5

4.7.beta1

4.7.beta2

4.7.beta3

4.7.beta4

4.7.beta5

4.7.beta6

4.7.beta7

4.7.beta8

5.*

5.28.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36389.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "5.27.5"
            }
        ]
    }
]