In some configurations, a malicious backend user may be able to impersonate another backend user. Some conditions must be met to be exploitable:
- The malicious backend user must already have write-access to the target user's contact record.
- The malicious backend user must know the CIVICRM_SITE_KEY.
Up through v4.6.13 and v4.7.2
v4.6.14+ and v4.7.3+
Any ONE of the following:
- Upgrade to CiviCRM v4.6.14+ or v4.7.3+.
- Apply the patch from https://github.com/civicrm/civicrm-core/pull/7888
Optionally, if the intent of your security policy is to allow non-administrators to create API keys for themselves or for others, then grant permissions "edit own api keys" or "edit api keys" (respectively).
- Xavier Dutoit (Tech to the People)
- Tim Otten (CiviCRM)