CVE-2013-4661

EUVD-2013-4515
CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.9 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:S/C:P/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
Affected Products (NVD)
VendorProductVersion
civicrmcivicrm
2.0.0
civicrmcivicrm
2.0.1
civicrmcivicrm
2.0.2
civicrmcivicrm
2.0.3
civicrmcivicrm
2.0.4
civicrmcivicrm
2.0.5
civicrmcivicrm
2.0.6
civicrmcivicrm
2.0.7
civicrmcivicrm
2.1.0
civicrmcivicrm
2.1.1
civicrmcivicrm
2.1.2
civicrmcivicrm
2.1.4
civicrmcivicrm
2.1.6
civicrmcivicrm
2.2.0
civicrmcivicrm
2.2.1
civicrmcivicrm
2.2.2
civicrmcivicrm
2.2.3
civicrmcivicrm
2.2.5
civicrmcivicrm
2.2.6
civicrmcivicrm
2.2.7
civicrmcivicrm
2.2.8
civicrmcivicrm
2.2.9
civicrmcivicrm
3.0.0
civicrmcivicrm
3.0.1
civicrmcivicrm
3.0.2
civicrmcivicrm
3.0.3
civicrmcivicrm
3.0.4
civicrmcivicrm
3.1.1
civicrmcivicrm
3.1.2
civicrmcivicrm
3.1.3
civicrmcivicrm
3.1.4
civicrmcivicrm
3.1.5
civicrmcivicrm
3.1.6
civicrmcivicrm
3.2.0
civicrmcivicrm
3.2.1
civicrmcivicrm
3.2.2
civicrmcivicrm
3.2.3
civicrmcivicrm
3.2.4
civicrmcivicrm
3.2.5
civicrmcivicrm
3.3.0
civicrmcivicrm
3.3.1
civicrmcivicrm
3.3.2
civicrmcivicrm
3.3.3
civicrmcivicrm
3.3.5
civicrmcivicrm
3.3.6
civicrmcivicrm
3.4.0
civicrmcivicrm
4.0.5
civicrmcivicrm
4.1.0
civicrmcivicrm
4.1.1
civicrmcivicrm
4.1.2
civicrmcivicrm
4.1.3
civicrmcivicrm
4.1.4
civicrmcivicrm
4.1.5
civicrmcivicrm
4.1.6
civicrmcivicrm
4.2.0
civicrmcivicrm
4.2.1
civicrmcivicrm
4.2.2
civicrmcivicrm
4.2.4
civicrmcivicrm
4.2.5
civicrmcivicrm
4.2.6
civicrmcivicrm
4.2.7
civicrmcivicrm
4.2.8
civicrmcivicrm
4.2.9
civicrmcivicrm
4.3.0
civicrmcivicrm
4.3.1
civicrmcivicrm
4.3.2
civicrmcivicrm
4.3.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
civicrm
bullseye
5.33.2+dfsg1-1
fixed
sid
5.68.1+dfsg1-1
fixed
Common Weakness Enumeration
References
http://civicrm.org/advisory/civi-sa-2013-003
http://civicrm.org/advisory/civi-sa-2013-003-custom-search-permissions
http://issues.civicrm.org/jira/browse/CRM-12747
http://civicrm.org/advisory/civi-sa-2013-003
http://civicrm.org/advisory/civi-sa-2013-003-custom-search-permissions
http://issues.civicrm.org/jira/browse/CRM-12747