A small number of CiviCRM entry points had faulty permission checks. This could allow hackers, under certain circumstances, to view basic contact information such as name, email, phone, or address for contacts in the database.
The risk is limited to viewing basic contact information - it does not include contributions, memberships, passwords or other data. It does not give hackers the ability to login or make changes to the database.
All sites are advised to upgrade immediately to avoid the potential risk.
- CiviCRM version 4.4.5 and earlier
- CiviCRM LTS version 4.2.16 and earlier
- CiviCRM 4.4.6
- CiviCRM LTS 4.2.17
Upgrade to one of the fixed versions.
Coleman Watts (CiviCRM LLC)