Security Risk: 
Moderately Critical
Vulnerability: 
Access Bypass
Affected Versions: 

CiviCRM versions prior to 4.7.8 or 4.6.17

 

Fixed Versions: 

CiviCRM versions 4.7.8 or greater, or 4.6.17 or greater

 

Publication Date: 
Thursday, June 2, 2016
Description: 

An access bypass was identified where if a user was permitted only the "View own contact" permission in the CMS, they were also able to edit their own contact. This bypass of permissions checking did not extend to other contacts in CiviCRM.

Solutions: 
Credits: 

Gemma Potaka and Peter Davis of Fuzion NZ for reporting the issue.

Jitendra Purohit, Peter Davis and Monish Deb for collaborating on the testing and fix.

CVE: 
CIVI-SA-2016-10