CIVI-SA-2016-10: Insufficient permissions checking when editing own comment

Published
2016-06-01 14:26
Written by

An access bypass was identified where if a user was permitted only the "View own contact" permission in the CMS, they were also able to edit their own contact. This bypass of permissions checking did not extend to other contacts in CiviCRM.

Security Risk
Moderately Critical
Vulnerability
Access Bypass
Affected Versions

CiviCRM versions prior to 4.7.8 or 4.6.17

 

Fixed Versions

CiviCRM versions 4.7.8 or greater, or 4.6.17 or greater

 

Solutions
  • Upgrade to CiviCRM 4.7.8 or greater, or 4.6.17 or greater
  • 4.7.x sites, apply patches from https://github.com/civicrm/civicrm-core/pull/8305
  • 4.6.x sites, apply patches from https://github.com/civicrm/civicrm-core/pull/8340
Credits

Gemma Potaka and Peter Davis of Fuzion NZ for reporting the issue.

Jitendra Purohit, Peter Davis and Monish Deb for collaborating on the testing and fix.

References
  • http://civicrm.stackexchange.com/questions/10422/should-civicrm-view-my-contact-permission-result-in-user-being-able-to-edit-t
  • https://issues.civicrm.org/jira/browse/CRM-18239
CVE
CIVI-SA-2016-10