CIVI-SA-2016-10: Insufficient permissions checking when editing own comment

An access bypass was identified where if a user was permitted only the "View own contact" permission in the CMS, they were also able to edit their own contact. This bypass of permissions checking did not extend to other contacts in CiviCRM.

Security Risk

Moderately Critical

Vulnerability

Access Bypass

Affected Versions

CiviCRM versions prior to 4.7.8 or 4.6.17

Fixed Versions

CiviCRM versions 4.7.8 or greater, or 4.6.17 or greater

Solutions

Upgrade to CiviCRM 4.7.8 or greater, or 4.6.17 or greater
4.7.x sites, apply patches from https://github.com/civicrm/civicrm-core/pull/8305
4.6.x sites, apply patches from https://github.com/civicrm/civicrm-core/pull/8340

Credits

Gemma Potaka and Peter Davis of Fuzion NZ for reporting the issue.

Jitendra Purohit, Peter Davis and Monish Deb for collaborating on the testing and fix.

References

http://civicrm.stackexchange.com/questions/10422/should-civicrm-view-my-contact-permission-result-in-user-being-able-to-edit-t
https://issues.civicrm.org/jira/browse/CRM-18239

CVE

CIVI-SA-2016-10

CIVI-SA-2016-10: Insufficient permissions checking when editing own comment

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2016-10: Insufficient permissions checking when editing own comment

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM