Security Risk: 
Critical
Vulnerability: 
Information Disclosure
Affected Versions: 
  • CiviCRM version 4.4.5 and earlier
  • CiviCRM LTS version 4.2.16 and earlier
Fixed Versions: 
  • CiviCRM 4.4.6
  • CiviCRM LTS 4.2.17
Publication Date: 
Wednesday, July 2, 2014
Description: 

A small number of CiviCRM entry points had faulty permission checks. This could allow hackers, under certain circumstances, to view basic contact information such as name, email, phone, or address for contacts in the database.

The risk is limited to viewing basic contact information - it does not include contributions, memberships, passwords or other data. It does not give hackers the ability to login or make changes to the database.

All sites are advised to upgrade immediately to avoid the potential risk.

Solutions: 

Upgrade to one of the fixed versions.

Credits: 

Coleman Watts (CiviCRM LLC)