CIVI-SA-2022-01: CiviContribute Access Bypass

Published

2022-03-16 12:00

Written by

dev-team

When accessing the Contribution View page insufficient permission checking was occurring which meant that if you knew the url and had the access CiviCRM permission you would be able to view contribution information that you shouldn't have.

Security Risk

Moderately Critical

Vulnerability

Access Bypass

Affected Versions

All versions less than or equal to: 5.47.1, 5.46.2, 5.45.3

Fixed Versions

CiviCRM versions 5.47.2, 5.46.3, and 5.45.4 ESR

Publication Date

2022-03-17 - 12:00

Solutions

If you are not on the ESR and haven't yet upgraded to 5.47 upgrade to 5.46.3, if you have upgraded to 5.47 then upgrade to 5.47.2

Credits

Bob Silvern of San Diego 350 for reporting the issue
Seamus Lee of JMA Consulting and the Core Team for fixing the issue

References

security/core#112

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2022-01: CiviContribute Access Bypass

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2022-01: CiviContribute Access Bypass

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM