CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission.
References
Link | Resource |
---|---|
http://civicrm.org/advisory/civi-sa-2013-003 | Vendor Advisory |
http://civicrm.org/advisory/civi-sa-2013-003-custom-search-permissions | Vendor Advisory |
http://issues.civicrm.org/jira/browse/CRM-12747 |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2014-01-29T18:00:00
Updated: 2014-01-29T17:57:00
Reserved: 2013-06-24T00:00:00
Link: CVE-2013-4661
JSON object: View
NVD Information
Status : Analyzed
Published: 2014-01-29T18:55:26.590
Modified: 2014-02-21T19:35:19.657
Link: CVE-2013-4661
JSON object: View
Redhat Information
No data.
CWE