CIVI-SA-2016-02: Access bypass

Published
2016-02-02 02:06
Written by

The 4.6.11 release of CiviCRM addresses an issue whereby users with limited administrative rights (data viewing) were able to modify certain fields within CiviCRM.

Security Risk
Moderately Critical
Vulnerability
Access Bypass
Affected Versions
  • CiviCRM 4.6.10 and below
Fixed Versions
  • CiviCRM 4.6.11 and above
Solutions
  • Upgrade to a fixed version of CiviCRM, 4.6.11+, OR
  • Apply patch from CRM-17533: https://github.com/civicrm/civicrm-core/pull/7163
Credits

This issue was reported and resolved by Mattias Michaux in co-ordination with the CiviCRM security team.

The CiviCRM community thanks Mattias for his contribution to CiviCRM's security.