CIVI-SA-2020-19: Edit permission for recurring contributions

Veröffentlicht
2020-08-19 09:00
Written by

In some situations, users without the permission "edit contributions" could edit recurring contributions.

Security Risk
Moderately Critical
Vulnerability
Access Bypass
Affected Versions

CiviCRM version 5.28.0 and earlier

Fixed Versions

CiviCRM version 5.28.1 and 5.27.5 ESR

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Jens Schuppe for reporting the issue
Eileen McNaughton of Wikimedia and Seamus Lee of CiviCRM Core Team for fixing the issue

References

dev/core#1945