Security Risk: 
Access Bypass
Affected Versions: 
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions: 
  • 4.7.21
  • 4.6.29
Publication Date: 
Wednesday, July 5, 2017

After successfully calling the "Contact.create" API, the caller could receive a list of all fields relating to the contact -- including a sensitive field that normally has restricted access. In some contexts, leaking the sensitive field could allow an attacker to access CiviCRM as the targeted user.


Upgrade to the latest version on CiviCRM

If you cannot upgrade to the latest version of CiviCRM apply the following patch


Thomas Schüttler of Oxfam for reporting the issue

Tim Otten of CiviCRM for fixing the issue