CIVI-SA-2017-02: Privilege escalation via leaked key

Publié

2017-07-05 23:00

Written by

seamuslee

After successfully calling the "Contact.create" API, the caller could receive a list of all fields relating to the contact -- including a sensitive field that normally has restricted access. In some contexts, leaking the sensitive field could allow an attacker to access CiviCRM as the targeted user.

Security Risk

Critical

Vulnerability

Access Bypass

Affected Versions

4.7.20 and earlier
4.6.28 and earlier

Fixed Versions

4.7.21
4.6.29

Solutions

Upgrade to the latest version on CiviCRM

If you cannot upgrade to the latest version of CiviCRM apply the following patch

https://github.com/civicrm/civicrm-core/pull/10378/

Credits

Thomas Schüttler of Oxfam for reporting the issue

Tim Otten of CiviCRM for fixing the issue

References

https://issues.civicrm.org/jira/browse/CRM-20159

Nous Nous sommes en train de traduire le site civicrm.org. Certaines contenus pourraient ne pas être disponibles dans toutes les langues. En savoir plus et participer.

© 2005 - 2023, CIVICRM LLC. Tous droits réservés.
CiviCRM et le logo CiviCRM sont des marques de commerce de CiviCRM LLC. À l'exception d'une indication contraire, le contenu de ce site est mis à disposition sous une licence « Create Commons Attribution-Share Alike 3.0 United States Licence. »

[D8]

CIVI-SA-2017-02: Privilege escalation via leaked key

TRAVAILLEZ AVEC DES EXPERTS DE CONFIANCE

Langues