Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Trivial
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.7.16, 4.6.28
-
Component/s: None
-
Security Level: Security - Published
-
Labels:None
-
Versioning Impact:Patch (backwards-compatible bug fixes)
-
Documentation Required?:None
-
Funding Source:Needs Funding
-
Verified?:No
Description
In CRM-18112 it was addressed that Contact,get should not return API keys. This was released in 4.6.14 / 4.7.3 security release.
Thomas Schüttler has reported that Contact,create API still returns the API key, and can be used as a proxy for Contact,get by supplying only a contact ID as parameter (create => update => return "modified" contact).
This can be abused via either an authenticated session of a user with regular access to CiviCRM, or via the extern/rest.php endpoint with an existing API key (requires site key).
This is a privilege escalation vulnerability.