Security Risk: 
Less Critical
Vulnerability: 
Access Bypass
Affected Versions: 

All versions with CiviCase.

Fixed Versions: 

4.4.11

4.5.5

Publication Date: 
Wednesday, December 17, 2014
Description: 

CiviCase functionality includes several urls which allow a user to view and edit a limited amount of case info. Some of these urls were not adequately checking permissions and could be used by any user with "Access CiviCRM" permission.

This problem only affects sites using the CiviCase component. It is mitigated by the fact that the user must have "Access CiviCRM," a permission not normally granted to untrusted users.

Solutions: 

Any ONE of the following solutions will provide protection:

Credits: 

Coleman Watts and Tim Otten of the CiviCRM core team.