Published
2020-08-19 09:00
In some situations, users without the permission "edit contributions" could edit recurring contributions.
Security Risk
Moderately Critical
Vulnerability
Access Bypass
Affected Versions
CiviCRM version 5.28.0 and earlier
Fixed Versions
CiviCRM version 5.28.1 and 5.27.5 ESR
Publication Date
Solutions
Upgrade to the latest version of CiviCRM
Credits
Jens Schuppe for reporting the issue
Eileen McNaughton of Wikimedia and Seamus Lee of CiviCRM Core Team for fixing the issue
References
dev/core#1945