CIVI-SA-2014-004 - Information Disclosure

Gepubliceerd
2014-09-17 01:04
Written by

CiviCRM uses AJAX callbacks to provide advisory details while completing certain forms. For example, when registering a new user through a profile form, CiviCRM issues an AJAX request to determine whether the username is available.

Some AJAX callbacks did not test for authorization, enabling untrusted parties to:

  • Determine whether a username was in-use
  • Determine the primary email address for a given contact ID
  • Determine the list of available options in certain custom-field
Security Risk
Moderately Critical
Vulnerability
Information Disclosure
Affected Versions

v3.0.0 through v4.4.6, 4.3.8, 4.2.18

Fixed Versions

v4.4.7+, v4.3.9+, v4.2.19+

Solutions

Any ONE of the following solutions will provide protection:

Credits
  • Dave Jenkins (Circle Interactive)
  • Tim Otten (CiviCRM)