Security Risk: 
Moderately Critical
Vulnerability: 
Access Bypass
Affected Versions: 
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions: 
  • 4.7.21
  • 4.6.29
Publication Date: 
Wednesday, July 5, 2017
Description: 

When viewing the CiviCRM "Mailing" report, a logged-in user could modify the URL to access the report for another mailing -- even if
they ordinarily would not have access that information.
 

Solutions: 

Upgrade to the latest version of CiviCRM

If you cannot upgrade your should apply the following patch

 

Credits: 

Dave Jenkins of Circle interactive for reporting the issue and fixing it