After successfully calling the "Contact.create" API, the caller could receive a list of all fields relating to the contact -- including a sensitive field that normally has restricted access. In some contexts, leaking the sensitive field could allow an attacker to access CiviCRM as the targeted user.
- 4.7.20 and earlier
- 4.6.28 and earlier
- 4.7.21
- 4.6.29
Upgrade to the latest version on CiviCRM
If you cannot upgrade to the latest version of CiviCRM apply the following patch
Thomas Schüttler of Oxfam for reporting the issue
Tim Otten of CiviCRM for fixing the issue