This vulnerability does not escalate the permissions of the user. However, if the user imports data from another application/system, then it could be used for an attack.
CiviCRM versions 5.35.0 and earlier
CiviCRM version 5.35.1 and ESR version 5.33.3
Any ONE of these solutions would be sufficient:
- Upgrade to the latest version of CiviCRM
- Refrain from importing CSVs with data that you did not directly generate yourself.
Reported by Pradeep Nayak of Circle Interactive
Fixed by Seamus Lee of JMA Consulting / CiviCRM Core Team
Funded by Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH