CiviCase functionality includes several urls which allow a user to view and edit a limited amount of case info. Some of these urls were not adequately checking permissions and could be used by any user with "Access CiviCRM" permission.
This problem only affects sites using the CiviCase component. It is mitigated by the fact that the user must have "Access CiviCRM," a permission not normally granted to untrusted users.
All versions with CiviCase.
Any ONE of the following solutions will provide protection:
- Upgrade to one of the fixed versions: 4.4.11 or 4.5.5.
- Backport the patch at https://github.com/civicrm/civicrm-core/pull/4729.diff
Coleman Watts and Tim Otten of the CiviCRM core team.