CVE-2013-4661
First published: Wed Jan 29 2014(Updated: )
CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CiviCRM | =2.0.0 | |
| CiviCRM | =2.0.1 | |
| CiviCRM | =2.0.2 | |
| CiviCRM | =2.0.3 | |
| CiviCRM | =2.0.4 | |
| CiviCRM | =2.0.5 | |
| CiviCRM | =2.0.6 | |
| CiviCRM | =2.0.7 | |
| CiviCRM | =2.1.0 | |
| CiviCRM | =2.1.1 | |
| CiviCRM | =2.1.2 | |
| CiviCRM | =2.1.4 | |
| CiviCRM | =2.1.6 | |
| CiviCRM | =2.2.0 | |
| CiviCRM | =2.2.1 | |
| CiviCRM | =2.2.2 | |
| CiviCRM | =2.2.3 | |
| CiviCRM | =2.2.5 | |
| CiviCRM | =2.2.6 | |
| CiviCRM | =2.2.7 | |
| CiviCRM | =2.2.8 | |
| CiviCRM | =2.2.9 | |
| CiviCRM | =3.0.0 | |
| CiviCRM | =3.0.1 | |
| CiviCRM | =3.0.2 | |
| CiviCRM | =3.0.3 | |
| CiviCRM | =3.0.4 | |
| CiviCRM | =3.1.1 | |
| CiviCRM | =3.1.2 | |
| CiviCRM | =3.1.3 | |
| CiviCRM | =3.1.4 | |
| CiviCRM | =3.1.5 | |
| CiviCRM | =3.1.6 | |
| CiviCRM | =3.2.0 | |
| CiviCRM | =3.2.1 | |
| CiviCRM | =3.2.2 | |
| CiviCRM | =3.2.3 | |
| CiviCRM | =3.2.4 | |
| CiviCRM | =3.2.5 | |
| CiviCRM | =3.3.0 | |
| CiviCRM | =3.3.1 | |
| CiviCRM | =3.3.2 | |
| CiviCRM | =3.3.3 | |
| CiviCRM | =3.3.5 | |
| CiviCRM | =3.3.6 | |
| CiviCRM | =3.4.0 | |
| CiviCRM | =4.0.5 | |
| CiviCRM | =4.1.0 | |
| CiviCRM | =4.1.1 | |
| CiviCRM | =4.1.2 | |
| CiviCRM | =4.1.3 | |
| CiviCRM | =4.1.4 | |
| CiviCRM | =4.1.5 | |
| CiviCRM | =4.1.6 | |
| CiviCRM | =4.2.0 | |
| CiviCRM | =4.2.1 | |
| CiviCRM | =4.2.2 | |
| CiviCRM | =4.2.4 | |
| CiviCRM | =4.2.5 | |
| CiviCRM | =4.2.6 | |
| CiviCRM | =4.2.7 | |
| CiviCRM | =4.2.8 | |
| CiviCRM | =4.2.9 | |
| CiviCRM | =4.3.0 | |
| CiviCRM | =4.3.1 | |
| CiviCRM | =4.3.2 | |
| CiviCRM | =4.3.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2013-4661?
CVE-2013-4661 has a medium severity level due to improper role-based access control allowing authenticated users to bypass access restrictions.
How do I fix CVE-2013-4661?
To fix CVE-2013-4661, you should upgrade to CiviCRM version 4.3.4 or later, which addresses the access control issue.
Which versions of CiviCRM are affected by CVE-2013-4661?
CVE-2013-4661 affects CiviCRM versions 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3.
Can I still use CiviCRM 4.2.9 safely if I take precautions?
While you can take precautions, it is highly recommended to upgrade to a secure version to fully mitigate the risk from CVE-2013-4661.
What attack vectors are associated with CVE-2013-4661?
The primary attack vector for CVE-2013-4661 is remote authenticated users exploiting the lack of role-based access restrictions on custom searches.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/references
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/civicrm
- canonical/civicrm
- version/civicrm/2.0.0
- version/civicrm/2.0.1
- version/civicrm/2.0.2
- version/civicrm/2.0.3
- version/civicrm/2.0.4
- version/civicrm/2.0.5
- version/civicrm/2.0.6
- version/civicrm/2.0.7
- version/civicrm/2.1.0
- version/civicrm/2.1.1
- version/civicrm/2.1.2
- version/civicrm/2.1.4
- version/civicrm/2.1.6
- version/civicrm/2.2.0
- version/civicrm/2.2.1
- version/civicrm/2.2.2
- version/civicrm/2.2.3
- version/civicrm/2.2.5
- version/civicrm/2.2.6
- version/civicrm/2.2.7
- version/civicrm/2.2.8
- version/civicrm/2.2.9
- version/civicrm/3.0.0
- version/civicrm/3.0.1
- version/civicrm/3.0.2
- version/civicrm/3.0.3
- version/civicrm/3.0.4
- version/civicrm/3.1.1
- version/civicrm/3.1.2
- version/civicrm/3.1.3
- version/civicrm/3.1.4
- version/civicrm/3.1.5
- version/civicrm/3.1.6
- version/civicrm/3.2.0
- version/civicrm/3.2.1
- version/civicrm/3.2.2
- version/civicrm/3.2.3
- version/civicrm/3.2.4
- version/civicrm/3.2.5
- version/civicrm/3.3.0
- version/civicrm/3.3.1
- version/civicrm/3.3.2
- version/civicrm/3.3.3
- version/civicrm/3.3.5
- version/civicrm/3.3.6
- version/civicrm/3.4.0
- version/civicrm/4.0.5
- version/civicrm/4.1.0
- version/civicrm/4.1.1
- version/civicrm/4.1.2
- version/civicrm/4.1.3
- version/civicrm/4.1.4
- version/civicrm/4.1.5
- version/civicrm/4.1.6
- version/civicrm/4.2.0
- version/civicrm/4.2.1
- version/civicrm/4.2.2
- version/civicrm/4.2.4
- version/civicrm/4.2.5
- version/civicrm/4.2.6
- version/civicrm/4.2.7
- version/civicrm/4.2.8
- version/civicrm/4.2.9
- version/civicrm/4.3.0
- version/civicrm/4.3.1
- version/civicrm/4.3.2
- version/civicrm/4.3.3