CIVI-SA-2013-003 - Custom Search Permissions

Security Risk: 
Less Critical
Access Bypass
Affected Versions: 

CiviCRM v2.0.0 - v4.2.9, v4.3.0 - v4.3.3

Fixed Versions: 

CiviCRM v4.2.10 and v4.3.4

Publication Date: 
Monday, June 10, 2013

CiviCRM v2+ includes a "Custom Search" system which allows administrators to register customized search forms and includes some default custom-searches (e.g. "Find Contribution Amounts by Tag"). CiviCRM also supports role-based access controls using permissions like "access CiviContribute" or "access CiviEvent". For the default custom-searches, CiviCRM does not enforce the expected role-based access controls.

For example: If a security policy grants a user permission to view the CiviCRM backend ("access CiviCRM") but denies permission to view contribution data ("access CiviContribute"), then the user may still access contribution data through a custom-search.

This vulnerability is mitigated by the fact that the access controls can only be bypassed by users with the permission "access CiviCRM".


Any ONE of the following solutions will provide protection:

  • Upgrade to CiviCRM 4.2.10 or v4.3.4+
  • Disable any custom searches which should not be generally accessible by backend/staff users. (Custom searches may be disabled by navigating to "Administer => Customize Data and Screens => Manage Custom Searches".)
  • Sarah Gladstone (Pogstone Inc)
  • Pratik Joshi (CiviCRM LLC)
  • Donald Lobo (CiviCRM LLC)