CVE-2013-4661

Sažetak

CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission.

Reference

http://civicrm.org/advisory/civi-sa-2013-003
http://civicrm.org/advisory/civi-sa-2013-003-custom-search-permissions
http://issues.civicrm.org/jira/browse/CRM-12747

CVSS

Base:	4.9
Impact:	4.9
Exploitability:	6.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:S/C:P/I:P/A:N

Zadnje važnije ažuriranje

21-02-2014 - 19:35

Objavljeno

29-01-2014 - 18:55