CiviCRM v2+ includes a "Custom Search" system which allows administrators to register customized search forms and includes some default custom-searches (e.g. "Find Contribution Amounts by Tag"). CiviCRM also supports role-based access controls using permissions like "access CiviContribute" or "access CiviEvent". For the default custom-searches, CiviCRM does not enforce the expected role-based access controls.
For example: If a security policy grants a user permission to view the CiviCRM backend ("access CiviCRM") but denies permission to view contribution data ("access CiviContribute"), then the user may still access contribution data through a custom-search.
This vulnerability is mitigated by the fact that the access controls can only be bypassed by users with the permission "access CiviCRM".
CiviCRM v2.0.0 - v4.2.9, v4.3.0 - v4.3.3
CiviCRM v4.2.10 and v4.3.4
Any ONE of the following solutions will provide protection:
- Upgrade to CiviCRM 4.2.10 or v4.3.4+
- Disable any custom searches which should not be generally accessible by backend/staff users. (Custom searches may be disabled by navigating to "Administer => Customize Data and Screens => Manage Custom Searches".)
- Sarah Gladstone (Pogstone Inc)
- Pratik Joshi (CiviCRM LLC)
- Donald Lobo (CiviCRM LLC)