CVE-2013-4661

Name of the Vulnerable Software and Affected Versions CiviCRM versions 2.0.0 through 4.2.9 CiviCRM versions 4.3.0 through 4.3.3

Description The issue is related to the improper enforcement of role-based access control (RBAC) restrictions for default custom searches. This allows remote authenticated users with the access CiviCRM permission to bypass intended access restrictions. For example, they can access custom contribution data without having the access CiviContribute permission.

Recommendations For CiviCRM versions 2.0.0 through 4.2.9, update to a version that properly enforces RBAC restrictions. For CiviCRM versions 4.3.0 through 4.3.3, update to a version that properly enforces RBAC restrictions. As a temporary workaround, consider restricting the access CiviCRM permission to minimize the risk of exploitation.