CVE-2013-4661
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
AI Score
Confidence
Low
EPSS
Percentile
47.8%
CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the “access CiviCRM” permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the “access CiviContribute” permission.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| civicrm | civicrm | 2.0.0 | cpe:2.3:a:civicrm:civicrm:2.0.0:*:*:*:*:*:*:* |
| civicrm | civicrm | 2.0.1 | cpe:2.3:a:civicrm:civicrm:2.0.1:*:*:*:*:*:*:* |
| civicrm | civicrm | 2.0.2 | cpe:2.3:a:civicrm:civicrm:2.0.2:*:*:*:*:*:*:* |
| civicrm | civicrm | 2.0.3 | cpe:2.3:a:civicrm:civicrm:2.0.3:*:*:*:*:*:*:* |
| civicrm | civicrm | 2.0.4 | cpe:2.3:a:civicrm:civicrm:2.0.4:*:*:*:*:*:*:* |
| civicrm | civicrm | 2.0.5 | cpe:2.3:a:civicrm:civicrm:2.0.5:*:*:*:*:*:*:* |
| civicrm | civicrm | 2.0.6 | cpe:2.3:a:civicrm:civicrm:2.0.6:*:*:*:*:*:*:* |
| civicrm | civicrm | 2.0.7 | cpe:2.3:a:civicrm:civicrm:2.0.7:*:*:*:*:*:*:* |
| civicrm | civicrm | 2.1.0 | cpe:2.3:a:civicrm:civicrm:2.1.0:*:*:*:*:*:*:* |
| civicrm | civicrm | 2.1.1 | cpe:2.3:a:civicrm:civicrm:2.1.1:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
AI Score
Confidence
Low
EPSS
Percentile
47.8%