CIVI-SA-2016-22 Profile Permission check by-passes in Wordpress

Gepubliceerd

2016-11-28 21:18

Written by

seamuslee

This issue affects your site if it is hosted on WordPress, and you use ACLs to restrict access to contact data.

It was identified that CiviCRM on WordPress CMS did not correctly trigger ACL checks when viewing CiviCRM profile URLs via checksum. This might lead sites to disclose some contact data via profile pages.

Security Risk

Moderately Critical

Vulnerability

Access Bypass

Affected Versions

4.7.13
4.6.23

Fixed Versions

4.7.14
4.6.24

Solutions

Upgrade to the latest CiviCRM release.

If you cannot upgrade to the latest CiviCRM version apply the patch here https://github.com/civicrm/civicrm-core/pull/8707

Credits

Brian Shaughnessy for reporting the issue and providing a fix

References

Issue CRM-19079

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2016-22 Profile Permission check by-passes in Wordpress

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2016-22 Profile Permission check by-passes in Wordpress

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM