- 4.7.20 and earlier
- 4.6.28 and earlier
When viewing the CiviCRM "Mailing" report, a logged-in user could modify the URL to access the report for another mailing -- even if
they ordinarily would not have access that information.
Upgrade to the latest version of CiviCRM
If you cannot upgrade your should apply the following patch
Dave Jenkins of Circle interactive for reporting the issue and fixing it