CVE-2013-4661 : CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce ro

CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission.

Published 2014-01-29 18:55:27

Updated 2025-04-11 00:51:22

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2013-4661

Civicrm » Civicrm » Version: 4.1.1
cpe:2.3:a:civicrm:civicrm:4.1.1:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.0.5
cpe:2.3:a:civicrm:civicrm:4.0.5:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.3.1
cpe:2.3:a:civicrm:civicrm:4.3.1:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.1.1
cpe:2.3:a:civicrm:civicrm:3.1.1:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.1.2
cpe:2.3:a:civicrm:civicrm:3.1.2:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.2.2
cpe:2.3:a:civicrm:civicrm:3.2.2:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.2.3
cpe:2.3:a:civicrm:civicrm:3.2.3:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.3.6
cpe:2.3:a:civicrm:civicrm:3.3.6:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.4.0
cpe:2.3:a:civicrm:civicrm:3.4.0:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.1.5
cpe:2.3:a:civicrm:civicrm:4.1.5:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.1.6
cpe:2.3:a:civicrm:civicrm:4.1.6:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.2.7
cpe:2.3:a:civicrm:civicrm:4.2.7:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.2.8
cpe:2.3:a:civicrm:civicrm:4.2.8:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.3.3
cpe:2.3:a:civicrm:civicrm:4.3.3:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.2.0
cpe:2.3:a:civicrm:civicrm:3.2.0:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.2.1
cpe:2.3:a:civicrm:civicrm:3.2.1:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.3.3
cpe:2.3:a:civicrm:civicrm:3.3.3:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.3.5
cpe:2.3:a:civicrm:civicrm:3.3.5:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.1.3
cpe:2.3:a:civicrm:civicrm:4.1.3:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.1.4
cpe:2.3:a:civicrm:civicrm:4.1.4:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.2.5
cpe:2.3:a:civicrm:civicrm:4.2.5:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.2.6
cpe:2.3:a:civicrm:civicrm:4.2.6:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.3.2
cpe:2.3:a:civicrm:civicrm:4.3.2:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.1.5
cpe:2.3:a:civicrm:civicrm:3.1.5:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.1.6
cpe:2.3:a:civicrm:civicrm:3.1.6:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.3.0
cpe:2.3:a:civicrm:civicrm:3.3.0:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.3.1
cpe:2.3:a:civicrm:civicrm:3.3.1:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.3.2
cpe:2.3:a:civicrm:civicrm:3.3.2:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.1.2
cpe:2.3:a:civicrm:civicrm:4.1.2:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.2.2
cpe:2.3:a:civicrm:civicrm:4.2.2:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.2.4
cpe:2.3:a:civicrm:civicrm:4.2.4:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.3.0
cpe:2.3:a:civicrm:civicrm:4.3.0:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.1.3
cpe:2.3:a:civicrm:civicrm:3.1.3:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.1.4
cpe:2.3:a:civicrm:civicrm:3.1.4:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.2.4
cpe:2.3:a:civicrm:civicrm:3.2.4:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.2.5
cpe:2.3:a:civicrm:civicrm:3.2.5:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.1.0
cpe:2.3:a:civicrm:civicrm:4.1.0:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.2.0
cpe:2.3:a:civicrm:civicrm:4.2.0:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.2.1
cpe:2.3:a:civicrm:civicrm:4.2.1:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 4.2.9
cpe:2.3:a:civicrm:civicrm:4.2.9:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.0.0
cpe:2.3:a:civicrm:civicrm:2.0.0:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.2.1
cpe:2.3:a:civicrm:civicrm:2.2.1:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.2.2
cpe:2.3:a:civicrm:civicrm:2.2.2:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.2.3
cpe:2.3:a:civicrm:civicrm:2.2.3:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.2.5
cpe:2.3:a:civicrm:civicrm:2.2.5:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.0.1
cpe:2.3:a:civicrm:civicrm:2.0.1:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.0.3
cpe:2.3:a:civicrm:civicrm:2.0.3:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.1.2
cpe:2.3:a:civicrm:civicrm:2.1.2:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.1.6
cpe:2.3:a:civicrm:civicrm:2.1.6:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.2.7
cpe:2.3:a:civicrm:civicrm:2.2.7:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.2.9
cpe:2.3:a:civicrm:civicrm:2.2.9:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.0.4
cpe:2.3:a:civicrm:civicrm:3.0.4:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.0.5
cpe:2.3:a:civicrm:civicrm:2.0.5:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.0.6
cpe:2.3:a:civicrm:civicrm:2.0.6:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.1.0
cpe:2.3:a:civicrm:civicrm:2.1.0:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.1.1
cpe:2.3:a:civicrm:civicrm:2.1.1:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.0.0
cpe:2.3:a:civicrm:civicrm:3.0.0:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.0.1
cpe:2.3:a:civicrm:civicrm:3.0.1:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.0.2
cpe:2.3:a:civicrm:civicrm:3.0.2:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 3.0.3
cpe:2.3:a:civicrm:civicrm:3.0.3:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.0.2
cpe:2.3:a:civicrm:civicrm:2.0.2:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.0.4
cpe:2.3:a:civicrm:civicrm:2.0.4:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.0.7
cpe:2.3:a:civicrm:civicrm:2.0.7:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.1.4
cpe:2.3:a:civicrm:civicrm:2.1.4:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.2.0
cpe:2.3:a:civicrm:civicrm:2.2.0:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.2.6
cpe:2.3:a:civicrm:civicrm:2.2.6:*:*:*:*:*:*:*
Matching versions
Civicrm » Civicrm » Version: 2.2.8
cpe:2.3:a:civicrm:civicrm:2.2.8:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-4661

EPSS FAQ

0.17%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 35 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-4661

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.9	MEDIUM	AV:N/AC:M/Au:S/C:P/I:P/A:N	6.8	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2013-4661

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-4661

http://civicrm.org/advisory/civi-sa-2013-003

CIVI-SA-2013-003 - Custom Search Permissions | CiviCRM
Vendor Advisory
http://issues.civicrm.org/jira/browse/CRM-12747

System Dashboard - CiviCRM Issue Tracker
http://civicrm.org/advisory/civi-sa-2013-003-custom-search-permissions

CIVI-SA-2013-003 - Custom Search Permissions | CiviCRM
Vendor Advisory

Jump to

Vulnerability Details : CVE-2013-4661

Products affected by CVE-2013-4661

Exploit prediction scoring system (EPSS) score for CVE-2013-4661

CVSS scores for CVE-2013-4661

CWE ids for CVE-2013-4661

References for CVE-2013-4661