Security Risk: 
Critical
Vulnerability: 
Access Bypass
Affected Versions: 
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions: 
  • 4.7.21
  • 4.6.29
Publication Date: 
Wednesday, July 5, 2017
Description: 

After successfully calling the "Contact.create" API, the caller could receive a list of all fields relating to the contact -- including a sensitive field that normally has restricted access. In some contexts, leaking the sensitive field could allow an attacker to access CiviCRM as the targeted user.
 

Solutions: 

Upgrade to the latest version on CiviCRM

If you cannot upgrade to the latest version of CiviCRM apply the following patch

Credits: 

Thomas Schüttler of Oxfam for reporting the issue

Tim Otten of CiviCRM for fixing the issue