In CiviCRM, an Access Control List (ACL) confers limited access to contact records (based on the membership list for a "Group" of contacts). In configurations with "ACL Smart Groups", a flaw allowed limited backend users to re-define their group criteria and gain elevated access. The fix ensures that only trusted users (with permission "edit groups") may re-define the group criteria.
NOTE: If an organization uses ACLs, then groups are important to data security, so the permission "edit groups" implies significant trust. This model is suitable for relatively flat organizations in which *only* trusted users may create, edit, or delete groups.
Some organizations may need more tiered permissions - e.g. allowing a user to create, edit, redefine, or delete *some* groups but not *all* groups. Supporting this distinction requires a change in the security model, and CIVI-SA-2020-09 is only a patch-fix to the existing model. If you need a more nuanced model, then evaluate enhancements such as the Group Protect extension.
CiviCRM version 5.28.0 and earlier
CiviCRM version 5.28.1 and 5.27.5 ESR
Upgrade to the latest version of CiviCRM.
Shitij Gugnani of Compucorp for reporting the issue
Seamus Lee, Tim Otten of CiviCRM Core Team for fixing the issue and Kevin Christiano of Tadpole Collective and Jamie Noviak of Compucorp for working on the fix.
security/core#61
