Details
-
Type: Security Advisory
-
Status: Done/Fixed
-
Priority: Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.4.6
-
Fix Version/s: 4.5
-
Component/s: None
-
Labels:None
-
Documentation Required?:None
Description
I could be wrong, but as far as I've tested, you can delete tags (maybe also other "Reserved" stuff) which are marked as "Reserved".
The "delete" button is not visible (as it should), but you can delete it either way by entering the url manually:
index.php?q=civicrm/admin/tag&action=delete&id=ID_OF_RESERVED_TAG
After clicking on delete, the tag is deleted!
I even tried it with a user that didn't have the "administer reserved tags" permission.
I think this is a major issue!