Security Risk: 
Less Critical
Vulnerability: 
Access Bypass
Affected Versions: 

Up through v4.6.13 and v4.7.2

Fixed Versions: 

v4.6.14+ and v4.7.3+

Publication Date: 
Wednesday, March 2, 2016
Description: 

In some configurations, a malicious backend user may be able to impersonate another backend user. Some conditions must be met to be exploitable:

  • The malicious backend user must already have write-access to the target user's contact record.
  • The malicious backend user must know the CIVICRM_SITE_KEY.
Solutions: 

Any ONE of the following:

Optionally, if the intent of your security policy is to allow non-administrators to create API keys for themselves or for others, then grant permissions "edit own api keys" or "edit api keys" (respectively).

Credits: 
  • Xavier Dutoit (Tech to the People)
  • Tim Otten (CiviCRM)