CIVI-SA-2022-01: CiviContribute Access Bypass

Opublikowane
2022-03-16 12:00
Written by

When accessing the Contribution View page insufficient permission checking was occurring which meant that if you knew the url and had the access CiviCRM permission you would be able to view contribution information that you shouldn't have.

Security Risk
Moderately Critical
Vulnerability
Access Bypass
Affected Versions

All versions less than or equal to: 5.47.1, 5.46.2, 5.45.3

Fixed Versions

CiviCRM versions 5.47.2, 5.46.3, and 5.45.4 ESR

Publication Date
Solutions

If you are not on the ESR and haven't yet upgraded to 5.47 upgrade to 5.46.3, if you have upgraded to 5.47 then upgrade to 5.47.2

Credits

Bob Silvern of San Diego 350 for reporting the issue
Seamus Lee of JMA Consulting and the Core Team for fixing the issue

References

security/core#112