CIVI-SA-2014-002 - Risk of Information Disclosure by Anonymous Users

Published

2014-07-01 16:42

Written by

A small number of CiviCRM entry points had faulty permission checks. This could allow hackers, under certain circumstances, to view basic contact information such as name, email, phone, or address for contacts in the database.

The risk is limited to viewing basic contact information - it does not include contributions, memberships, passwords or other data. It does not give hackers the ability to login or make changes to the database.

All sites are advised to upgrade immediately to avoid the potential risk.

Security Risk

Critical

Vulnerability

Information Disclosure

Affected Versions

CiviCRM version 4.4.5 and earlier
CiviCRM LTS version 4.2.16 and earlier

Fixed Versions

CiviCRM 4.4.6
CiviCRM LTS 4.2.17

Solutions

Upgrade to one of the fixed versions.

Credits

Coleman Watts (CiviCRM LLC)

References

https://issues.civicrm.org/jira/browse/CRM-14603

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2014-002 - Risk of Information Disclosure by Anonymous Users

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2014-002 - Risk of Information Disclosure by Anonymous Users

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM