- CiviCRM v4.4.5 and earlier
- CiviCRM v4.2.16 and earlier
- CiviCRM v4.4.6
- CiviCRM v4.2.17
The CiviCRM Profile subsystem allows administrators to design customized forms. The subsystem includes some advanced workflow settings which are not securely handled. By submitting a custom-crafted form to the Profile subsystem, an attacker may manipulate these settings. This vulnerability can be leveraged to acquire escalated privileges and (possibly) to issue open redirects.
This vulnerability affects any site which has enabled the CiviCRM Profile system (regardless of whether advanced settings are used), but it does not affect sites which restrict access to profiles.
Any ONE of the following solutions will provide protection:
- Upgrade to CiviCRM 4.4.6+ or 4.2.17+
- Deny public access to the profile system. Depending on your system configuration, this might mean disabling the permissions ("profile listings and forms", "profile create", "profile edit") or disabling profile ACLs.
Jim Meehan (Bay Area Children's Theatre)
Tim Otten (CiviCRM LLC)