Published
2014-09-17 01:04
CiviCRM uses AJAX callbacks to provide advisory details while completing certain forms. For example, when registering a new user through a profile form, CiviCRM issues an AJAX request to determine whether the username is available.
Some AJAX callbacks did not test for authorization, enabling untrusted parties to:
- Determine whether a username was in-use
- Determine the primary email address for a given contact ID
- Determine the list of available options in certain custom-field
Security Risk
Moderately Critical
Vulnerability
Information Disclosure
Affected Versions
v3.0.0 through v4.4.6, 4.3.8, 4.2.18
Fixed Versions
v4.4.7+, v4.3.9+, v4.2.19+
Solutions
Any ONE of the following solutions will provide protection:
- Upgrade to CiviCRM v4.4.7+, v4.3.9+, or v4.2.19+
- Backport https://github.com/civicrm/civicrm-core/pull/4078
Credits
- Dave Jenkins (Circle Interactive)
- Tim Otten (CiviCRM)
References
