CIVI-SA-2017-07: Insufficient permission-check in mailing report

Published
2017-07-05 23:00
Written by
seamuslee - member of the CiviCRM community - view blog guidelines

When viewing the CiviCRM "Mailing" report, a logged-in user could modify the URL to access the report for another mailing -- even if
they ordinarily would not have access that information.
 

Security Risk
Moderately Critical
Vulnerability
Access Bypass
Affected Versions
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions
  • 4.7.21
  • 4.6.29
Solutions

Upgrade to the latest version of CiviCRM

If you cannot upgrade your should apply the following patch

 

Credits

Dave Jenkins of Circle interactive for reporting the issue and fixing it