CIVI-SA-2017-02: Privilege escalation via leaked key

2017-07-05 23:00
Written by
seamuslee - member of the CiviCRM community - view blog guidelines

After successfully calling the "Contact.create" API, the caller could receive a list of all fields relating to the contact -- including a sensitive field that normally has restricted access. In some contexts, leaking the sensitive field could allow an attacker to access CiviCRM as the targeted user.

Security Risk
Access Bypass
Affected Versions
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions
  • 4.7.21
  • 4.6.29

Upgrade to the latest version on CiviCRM

If you cannot upgrade to the latest version of CiviCRM apply the following patch


Thomas Schüttler of Oxfam for reporting the issue

Tim Otten of CiviCRM for fixing the issue