Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
drupalDrupal Security TeamDRUPAL-SA-CONTRIB-2012-161
HistoryNov 07, 2012 - 12:00 a.m.

SA-CONTRIB-2012-161 - Webform CiviCRM Integration - Access Bypass

2012-11-0700:00:00
Drupal Security Team
www.drupal.org
4

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

Webform CiviCRM integration allows you to expose contact data via Webforms. Depending on what fields you have exposed in your form, this may include personal information such as birthdate, phone number, email address, etc. Proper permission settings are important to keep this information from prying eyes.
Each “existing contact” on a webform has a setting to enforce CiviCRM permissions – this setting should rarely be disabled, and only done so by admins who know what they’re doing. Unfortunately some circumstances may have led this setting to be incorrectly disabled by the admin:

  • In version 3.0 - 3.1 of this module, “Enforce Permissions” was not on by default, and needed to be manually selected by the admin. This was fixed in 3.2.
  • In versions 3.0 - 3.2, the current user could not be autofilled for normal unprivledged users. This may have led some admins to disable the “Enforce Permissions” setting, a dangerous workaround.
  • In versions 3.0 - 3.3, autofilling a contact via the url with a checksum did not work for anonymous users unless the “Enforce Permissions” setting was disabled.

Version 3.4 includes an update script which will automatically set “Enforce Permissions” for all existing contacts to true. Once you have upgraded, you may wish to review your webforms and ensure that autofilling contacts works as expected, especially for anonymous users. In a few rare cases where you have established access control through some other means, disabling “Enforce Permissions” may be necessary and you will need to do so manually.

CVE: CVE-2012-5554

Versions affected

  • Webform CiviCRM Integration 7.x-3.0 to 7.x-3.3

Drupal core is not affected. If you do not use the contributed Webform CiviCRM Integration module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform CiviCRM Integration project page.

Reported by

Fixed by

Coordinated by

Related

nvd 1
prion 1
cve 1
cvelist 1
nvd
nvd
CVE-2012-5554
2012-12-03 21:55:02
prion
prion
Default configuration
2012-12-03 21:55:00
cve
cve
CVE-2012-5554
2022-10-03 16:15:32
cvelist
cvelist
CVE-2012-5554
2022-10-03 16:15:32

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.967 High

EPSS

Percentile

99.7%

JSON
Related for DRUPAL-SA-CONTRIB-2012-161
nvd1prion1cve1cvelist1