CIVI-SA-2022-01: CiviContribute Access Bypass

2022-03-16 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

When accessing the Contribution View page insufficient permission checking was occurring which meant that if you knew the url and had the access CiviCRM permission you would be able to view contribution information that you shouldn't have.

Security Risk
Moderately Critical
Access Bypass
Affected Versions

All versions less than or equal to: 5.47.1, 5.46.2, 5.45.3

Fixed Versions

CiviCRM versions 5.47.2, 5.46.3, and 5.45.4 ESR

Publication Date

If you are not on the ESR and haven't yet upgraded to 5.47 upgrade to 5.46.3, if you have upgraded to 5.47 then upgrade to 5.47.2


Bob Silvern of San Diego 350 for reporting the issue
Seamus Lee of JMA Consulting and the Core Team for fixing the issue