In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
{
"unresolved_ranges": [
{
"source": "CPE_RANGE",
"vendor_product": "civicrm:civicrm",
"cpes": [
"cpe:2.3:a:civicrm:civicrm:*:*:*:*:extended_security_release:*:*:*"
],
"extracted_events": [
{
"fixed": "5.27.5"
}
]
}
]
}{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:civicrm:civicrm:*:*:*:*:-:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "5.28.1"
}
]
}