CIVI-SA-2014-002 - Risk of Information Disclosure by Anonymous Users

Published
2014-07-01 16:42
Written by

A small number of CiviCRM entry points had faulty permission checks. This could allow hackers, under certain circumstances, to view basic contact information such as name, email, phone, or address for contacts in the database.

The risk is limited to viewing basic contact information - it does not include contributions, memberships, passwords or other data. It does not give hackers the ability to login or make changes to the database.

All sites are advised to upgrade immediately to avoid the potential risk.

Security Risk
Critical
Vulnerability
Information Disclosure
Affected Versions
  • CiviCRM version 4.4.5 and earlier
  • CiviCRM LTS version 4.2.16 and earlier
Fixed Versions
  • CiviCRM 4.4.6
  • CiviCRM LTS 4.2.17
Solutions

Upgrade to one of the fixed versions.

Credits

Coleman Watts (CiviCRM LLC)