CIVI-SA-2014-005 - ACL bypass on export

Közzétéve
2014-09-17 18:21
Written by

CiviCRM Access Control Lists (ACLs) allow site administrators to grant or revoke access to specifics groups/contacts. In CiviCRM 4.4.x, any staff user with access to the "Export" functionality could bypass the ACLs.

Security Risk
Moderately Critical
Vulnerability
Access Bypass
Affected Versions

4.4.6

(Note: 4.2.x & 4.3.x are not affected)

Fixed Versions

4.4.7

(Note: 4.2.x & 4.3.x are not affected)

Solutions

Upgrade to 4.4.7

Credits
  • Eileen McNaughton (Fuzion)
  • Kurund Jalmi (CiviCRM)