CIVI-SA-2014-006 - Access bypass in CiviCase

CiviCase functionality includes several urls which allow a user to view and edit a limited amount of case info. Some of these urls were not adequately checking permissions and could be used by any user with "Access CiviCRM" permission.

This problem only affects sites using the CiviCase component. It is mitigated by the fact that the user must have "Access CiviCRM," a permission not normally granted to untrusted users.

Security Risk

Less Critical

Vulnerability

Access Bypass

Affected Versions

All versions with CiviCase.

Fixed Versions

4.4.11

4.5.5

Solutions

Any ONE of the following solutions will provide protection:

Upgrade to one of the fixed versions: 4.4.11 or 4.5.5.
Backport the patch at https://github.com/civicrm/civicrm-core/pull/4729.diff

Credits

Coleman Watts and Tim Otten of the CiviCRM core team.

References

CIVI-SA-2014-006 - Access bypass in CiviCase

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2014-006 - Access bypass in CiviCase

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM