CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission.
References
Link | Resource |
---|---|
http://civicrm.org/advisory/civi-sa-2013-003 | Vendor Advisory |
http://issues.civicrm.org/jira/browse/CRM-12747 | |
http://civicrm.org/advisory/civi-sa-2013-003-custom-search-permissions | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2014-01-29 10:55
Updated : 2014-02-21 11:35
NVD link : CVE-2013-4661
Mitre link : CVE-2013-4661
JSON object : View
CWE
CWE-264
Permissions, Privileges, and Access Controls
Products Affected
civicrm
- civicrm