CIVI-SA-2021-08 Access Bypass in APIv4

Publié
2021-04-21 09:00
Written by

Some permissions were not being checked adequately before returning results from the CiviCRM APIv4. This did not affect everyday use of CiviCRM, but an attacker could potentially exploit this to bypass security checks and read private data from the database. To date there are no known sites that have been compromised due to this bug. APIv3 was not affected.

Security Risk
Highly Critical
Vulnerability
Access Bypass
Affected Versions

CiviCRM version 5.35.1 and earlier

Fixed Versions

CiviCRM versions 5.36.1, 5.35.2, 5.33.5 ESR

Publication Date
Solutions

Upgrade to a supported version of CiviCRM

Credits

Coleman Watts of CiviCRM Core for reporting and fixing the issue.

References

security/core!141