CVE-2013-4661
N/A
N/A
Summary
CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- http://issues.civicrm.org/jira/browse/CRM-12747
- http://civicrm.org/advisory/civi-sa-2013-003
- http://civicrm.org/advisory/civi-sa-2013-003-custom-search-permissions
References
- http://issues.civicrm.org/jira/browse/CRM-12747
- http://civicrm.org/advisory/civi-sa-2013-003
- http://civicrm.org/advisory/civi-sa-2013-003-custom-search-permissions
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.