The 4.6.11 release of CiviCRM addresses an issue whereby users with limited administrative rights (data viewing) were able to modify certain fields within CiviCRM.
- CiviCRM 4.6.10 and below
- CiviCRM 4.6.11 and above
- Upgrade to a fixed version of CiviCRM, 4.6.11+, OR
- Apply patch from CRM-17533: https://github.com/civicrm/civicrm-core/pull/7163
This issue was reported and resolved by Mattias Michaux in co-ordination with the CiviCRM security team.
The CiviCRM community thanks Mattias for his contribution to CiviCRM's security.