CVE-2013-4661 — Civicrm vulnerability

CWE-2643 documents3 sources

Severity

4.9MEDIUMNVD

EPSS

0.2%

top 61.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Civicrm Debian Civicrm

Timeline

PublishedJan 29

Latest updateMay 17

Description

CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 6.8 | Impact: 4.9

Affected Packages2 packages

▶debiandebian/civicrm

▶NVDcivicrm/civicrm67 versions+66

🔴Vulnerability Details

GHSA

GHSA-7xcj-h49w-rxfw: CiviCRM 2↗2022-05-17

▶

📋Vendor Advisories

Debian

CVE-2013-4661: civicrm - CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce ro...↗2013

▶