CiviCRM v2+ includes a "Custom Search" system which allows administrators to register customized search forms and includes some default custom-searches (e.g. "Find Contribution Amounts by Tag"). CiviCRM also supports role-based access controls using permissions like "access CiviContribute" or "access CiviEvent". For the default custom-searches, CiviCRM does not enforce the expected role-based access controls.
To receive future CiviCRM security notices, subscribe to our notifications. Check here for details of our security policy and how to report a suspected security issue.