CIVI-SA-2016-05: Privilege escalation by backend users

Opublikowane

2016-02-29 12:38

Written by

totten

In some configurations, a malicious backend user may be able to impersonate another backend user. Some conditions must be met to be exploitable:

The malicious backend user must already have write-access to the target user's contact record.
The malicious backend user must know the CIVICRM_SITE_KEY.

Security Risk

Less Critical

Vulnerability

Access Bypass

Affected Versions

Up through v4.6.13 and v4.7.2

Fixed Versions

v4.6.14+ and v4.7.3+

Solutions

Any ONE of the following:

Upgrade to CiviCRM v4.6.14+ or v4.7.3+.
Apply the patch from https://github.com/civicrm/civicrm-core/pull/7888

Optionally, if the intent of your security policy is to allow non-administrators to create API keys for themselves or for others, then grant permissions "edit own api keys" or "edit api keys" (respectively).

Credits

Xavier Dutoit (Tech to the People)
Tim Otten (CiviCRM)

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2016-05: Privilege escalation by backend users

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2016-05: Privilege escalation by backend users

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM