CIVI-SA-2014-006 - Access bypass in CiviCase

Publicat
2014-12-16 19:42
Written by

CiviCase functionality includes several urls which allow a user to view and edit a limited amount of case info. Some of these urls were not adequately checking permissions and could be used by any user with "Access CiviCRM" permission.

This problem only affects sites using the CiviCase component. It is mitigated by the fact that the user must have "Access CiviCRM," a permission not normally granted to untrusted users.

Security Risk
Less Critical
Vulnerability
Access Bypass
Affected Versions

All versions with CiviCase.

Fixed Versions

4.4.11

4.5.5

Solutions

Any ONE of the following solutions will provide protection:

  • Upgrade to one of the fixed versions: 4.4.11 or 4.5.5.
  • Backport the patch at https://github.com/civicrm/civicrm-core/pull/4729.diff
Credits

Coleman Watts and Tim Otten of the CiviCRM core team.

References

See also:

  • https://issues.civicrm.org/jira/browse/CRM-15713
  • https://github.com/civicrm/civicrm-core/pull/4719