Security Risk: 
Moderately Critical
Access Bypass
Affected Versions: 
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions: 
  • 4.7.21
  • 4.6.29
Publication Date: 
Wednesday, July 5, 2017

When viewing the CiviCRM "Mailing" report, a logged-in user could modify the URL to access the report for another mailing -- even if
they ordinarily would not have access that information.


Upgrade to the latest version of CiviCRM

If you cannot upgrade your should apply the following patch



Dave Jenkins of Circle interactive for reporting the issue and fixing it