CIVI-SA-2016-02: Access bypass

Published

2016-02-02 02:06

Written by

The 4.6.11 release of CiviCRM addresses an issue whereby users with limited administrative rights (data viewing) were able to modify certain fields within CiviCRM.

Security Risk

Moderately Critical

Vulnerability

Access Bypass

Affected Versions

CiviCRM 4.6.10 and below

Fixed Versions

CiviCRM 4.6.11 and above

Solutions

Upgrade to a fixed version of CiviCRM, 4.6.11+, OR
Apply patch from CRM-17533: https://github.com/civicrm/civicrm-core/pull/7163

Credits

This issue was reported and resolved by Mattias Michaux in co-ordination with the CiviCRM security team.

The CiviCRM community thanks Mattias for his contribution to CiviCRM's security.

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2016-02: Access bypass

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2016-02: Access bypass

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM