CIVI-SA-2017-02: Privilege escalation via leaked key

Published
2017-07-05 23:00
Written by
seamuslee - member of the CiviCRM community - view blog guidelines

After successfully calling the "Contact.create" API, the caller could receive a list of all fields relating to the contact -- including a sensitive field that normally has restricted access. In some contexts, leaking the sensitive field could allow an attacker to access CiviCRM as the targeted user.
 

Security Risk
Critical
Vulnerability
Access Bypass
Affected Versions
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions
  • 4.7.21
  • 4.6.29
Solutions

Upgrade to the latest version on CiviCRM

If you cannot upgrade to the latest version of CiviCRM apply the following patch

Credits

Thomas Schüttler of Oxfam for reporting the issue

Tim Otten of CiviCRM for fixing the issue