{"id":"CVE-2020-36389","details":"In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.","aliases":["BIT-civicrm-2020-36389"],"modified":"2026-04-10T04:19:10.408207Z","published":"2021-06-17T19:15:07.827Z","references":[{"type":"ADVISORY","url":"https://civicrm.org/advisory/civi-sa-2020-11-csrf-ckeditor-configuration-form"},{"type":"EVIDENCE","url":"https://blog.sonarsource.com/civicrm-code-execution-vulnerability-chain-explained/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/civicrm/civicrm-core","events":[{"introduced":"0"},{"fixed":"be989a7051c7620136c4e6dbdb128f55d3b2b5f9"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.28.1"}]}}],"versions":["4.3.beta2","4.3.beta3","4.3.beta4","4.3.beta5","4.4.alpha1","4.4.alpha2","4.4.alpha3","4.4.beta1","4.4.beta2","4.4.beta3","4.4.beta4","4.5.alpha1","4.5.alpha2","4.5.beta1","4.5.beta2","4.5.beta3","4.5.beta4","4.5.beta5","4.5.beta6","4.5.beta7","4.5.beta8","4.6.alpha1","4.6.alpha2","4.6.alpha3","4.6.alpha4","4.6.alpha5","4.6.alpha6","4.6.alpha7","4.6.beta1","4.6.beta2","4.7.0","4.7.1","4.7.10-pre1","4.7.2","4.7.3","4.7.4","4.7.5","4.7.6","4.7.alpha1","4.7.alpha2","4.7.alpha3","4.7.alpha4","4.7.alpha5","4.7.beta1","4.7.beta2","4.7.beta3","4.7.beta4","4.7.beta5","4.7.beta6","4.7.beta7","4.7.beta8","5.28.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"5.27.5"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36389.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}