Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-11638

Annonymous user able to manipulate contact data trough contribution page

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Blocker
          • Resolution: Won't Fix
          • Affects Version/s: 4.2.7
          • Fix Version/s: None
          • Component/s: Core CiviCRM
          • Labels:
            None

            Description

            It is possible to manipulate or destroy the saved data of an contact record just by signing a contribution

            To recreate you need a profile with name and address or other user data, connected to a contribution page.

            The attacker has only to know the victims email address. Because there is no other security barrier, the data record will actually mediately destroy the user record by replacing all old data.

            This is actually a very stupid behavior for anything that tries to be an professional solution of some sort.

              Attachments

                Activity

                  People

                  • Assignee:
                    lobo Donald A. Lobo
                    Reporter:
                    andromedas Alexandro Gratiolet
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: