Security Risk: 
Moderately Critical
Vulnerability: 
Information Disclosure
Affected Versions: 

v3.0.0 through v4.4.6, 4.3.8, 4.2.18

Fixed Versions: 

v4.4.7+, v4.3.9+, v4.2.19+

Publication Date: 
Wednesday, September 17, 2014
Description: 

CiviCRM uses AJAX callbacks to provide advisory details while completing certain forms. For example, when registering a new user through a profile form, CiviCRM issues an AJAX request to determine whether the username is available.

Some AJAX callbacks did not test for authorization, enabling untrusted parties to:

  • Determine whether a username was in-use
  • Determine the primary email address for a given contact ID
  • Determine the list of available options in certain custom-field
Solutions: 

Any ONE of the following solutions will provide protection:

Credits: 
  • Dave Jenkins (Circle Interactive)
  • Tim Otten (CiviCRM)