Published
2025-08-06 12:00
When embedding a saved-search in a custom form, administrators may pre-configure mandatory filter-criteria. In some cases, the mandatory criteria can be bypassed.
Security Risk
Moderately Critical
Vulnerability
Access Bypass
Affected Versions
CiviCRM 6.4.0 and earlier
Fixed Versions
CiviCRM versions 6.4.1, 6.5.0, and 5.81.4 (ESR)
Publication Date
Solutions
Any ONE of the following is sufficient:
- Upgrade to a fixed version of CiviCRM, or...
- Do not offer any embedded searches to untrusted users.
Credits
Coleman Watts (CiviCRM)
Tim Otten (CiviCRM)
Benjamin W (CiviCRM)
References
security/core!197
