CIVI-SA-2021-08 Access Bypass in APIv4

Pubblicato

2021-04-21 09:00

Written by

dev-team

Some permissions were not being checked adequately before returning results from the CiviCRM APIv4. This did not affect everyday use of CiviCRM, but an attacker could potentially exploit this to bypass security checks and read private data from the database. To date there are no known sites that have been compromised due to this bug. APIv3 was not affected.

Security Risk

Highly Critical

Vulnerability

Access Bypass

Affected Versions

CiviCRM version 5.35.1 and earlier

Fixed Versions

CiviCRM versions 5.36.1, 5.35.2, 5.33.5 ESR

Publication Date

2021-04-21 - 12:00

Solutions

Upgrade to a supported version of CiviCRM

Credits

Coleman Watts of CiviCRM Core for reporting and fixing the issue.

References

security/core!141

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2021-08 Access Bypass in APIv4

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Lingue

CIVI-SA-2021-08 Access Bypass in APIv4

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM