Sarah Gladstone

**Name of the Vulnerable Software and Affected Versions** CiviCRM versions 2.0.0 through 4.2.9 CiviCRM versions 4.3.0 through 4.3.3 **Description** The issue is related to the improper enforcement of role-based access control (RBAC) restrictions for default custom searches. This allows remote authenticated users with the `access CiviCRM` permission to bypass intended access restrictions. For example, they can access custom contribution data without having the `access CiviContribute` permission. **Recommendations** For CiviCRM versions 2.0.0 through 4.2.9, update to a version that properly enforces RBAC restrictions. For CiviCRM versions 4.3.0 through 4.3.3, update to a version that properly enforces RBAC restrictions. As a temporary workaround, consider restricting the `access CiviCRM` permission to minimize the risk of exploitation.