Security Risk: 
Critical
Vulnerability: 
Access Bypass
Affected Versions: 

CiviCRM Versions prior to 4.7.11 or 4.6.21

Fixed Versions: 

CiviCRM Versions 4.7.11 or greater, or 4.6.21 or greater

Publication Date: 
Wednesday, September 7, 2016
Description: 

CiviCRM allows users to import contacts using CSV or SQL. Prior to 4.7.11 (or 4.6.21), the permission "import contacts" allowed users to import by any means -- either CSV or SQL. A user with this permission could use it to bypass ACL rules. Beginning with 4.7.11+ (or 4.6.21+), there is now a separate permission "import SQL datasource". If you want your users to be able to import contacts using SQL, you must now grant both permissions ("import contacts" and "import SQL datasource"). It is the recommendation that the permission should only be given to the most trust worthy users. 

Solutions: 

Any ONE of the following should provide protection:

Credits: 

Chris Burgess (Fuzion) for identifying the issue

Tim Otten (CiviCRM) for fixing the issue

References: