CIVI-SA-2017-07: Insufficient permission-check in mailing report

2017-07-05 23:00
Written by
seamuslee - member of the CiviCRM community - view blog guidelines

When viewing the CiviCRM "Mailing" report, a logged-in user could modify the URL to access the report for another mailing -- even if
they ordinarily would not have access that information.

Security Risk
Moderately Critical
Access Bypass
Affected Versions
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions
  • 4.7.21
  • 4.6.29

Upgrade to the latest version of CiviCRM

If you cannot upgrade your should apply the following patch



Dave Jenkins of Circle interactive for reporting the issue and fixing it