5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.7%
Webform CiviCRM integration allows you to expose contact data via Webforms. Depending on what fields you have exposed in your form, this may include personal information such as birthdate, phone number, email address, etc. Proper permission settings are important to keep this information from prying eyes.
Each “existing contact” on a webform has a setting to enforce CiviCRM permissions – this setting should rarely be disabled, and only done so by admins who know what they’re doing. Unfortunately some circumstances may have led this setting to be incorrectly disabled by the admin:
Version 3.4 includes an update script which will automatically set “Enforce Permissions” for all existing contacts to true. Once you have upgraded, you may wish to review your webforms and ensure that autofilling contacts works as expected, especially for anonymous users. In a few rare cases where you have established access control through some other means, disabling “Enforce Permissions” may be necessary and you will need to do so manually.
CVE: CVE-2012-5554
Drupal core is not affected. If you do not use the contributed Webform CiviCRM Integration module, there is nothing you need to do.
Install the latest version:
Also see the Webform CiviCRM Integration project page.