CVE-2013-4661

CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission.

Published: Jan 29, 2014
Updated: Nov 9, 2025
CVE: CVE-2013-4661
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.9
AV:N/AC:M/Au:S/C:P/I:P/A:N

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
civicrm / civicrm	3.0.2	3.0.2.x
civicrm / civicrm	3.1.3	3.1.3.x
civicrm / civicrm	4.2.5	4.2.5.x
civicrm / civicrm	4.1.2	4.1.2.x
civicrm / civicrm	3.0.3	3.0.3.x
civicrm / civicrm	4.3.1	4.3.1.x
civicrm / civicrm	2.2.3	2.2.3.x
civicrm / civicrm	4.1.4	4.1.4.x
civicrm / civicrm	2.2.0	2.2.0.x
civicrm / civicrm	2.0.2	2.0.2.x
civicrm / civicrm	2.1.0	2.1.0.x
civicrm / civicrm	2.1.4	2.1.4.x
civicrm / civicrm	4.2.8	4.2.8.x
civicrm / civicrm	2.1.1	2.1.1.x
civicrm / civicrm	2.0.4	2.0.4.x
civicrm / civicrm	4.1.1	4.1.1.x
civicrm / civicrm	2.1.2	2.1.2.x
civicrm / civicrm	4.2.7	4.2.7.x
civicrm / civicrm	2.2.5	2.2.5.x
civicrm / civicrm	3.4.0	3.4.0.x
civicrm / civicrm	4.3.0	4.3.0.x
civicrm / civicrm	2.0.7	2.0.7.x
civicrm / civicrm	3.3.1	3.3.1.x
civicrm / civicrm	2.1.6	2.1.6.x
civicrm / civicrm	2.2.8	2.2.8.x
civicrm / civicrm	3.1.1	3.1.1.x
civicrm / civicrm	3.3.0	3.3.0.x
civicrm / civicrm	3.2.4	3.2.4.x
civicrm / civicrm	3.0.1	3.0.1.x
civicrm / civicrm	3.2.1	3.2.1.x
civicrm / civicrm	3.2.3	3.2.3.x
civicrm / civicrm	3.3.5	3.3.5.x
civicrm / civicrm	3.3.3	3.3.3.x
civicrm / civicrm	4.0.5	4.0.5.x
civicrm / civicrm	2.2.6	2.2.6.x
civicrm / civicrm	3.3.2	3.3.2.x
civicrm / civicrm	4.2.1	4.2.1.x
civicrm / civicrm	2.0.3	2.0.3.x
civicrm / civicrm	3.1.6	3.1.6.x
civicrm / civicrm	4.2.0	4.2.0.x
civicrm / civicrm	4.1.6	4.1.6.x
civicrm / civicrm	2.2.9	2.2.9.x
civicrm / civicrm	4.2.4	4.2.4.x
civicrm / civicrm	4.1.0	4.1.0.x
civicrm / civicrm	3.1.4	3.1.4.x
civicrm / civicrm	4.3.2	4.3.2.x
civicrm / civicrm	4.2.2	4.2.2.x
civicrm / civicrm	3.0.0	3.0.0.x
civicrm / civicrm	4.2.6	4.2.6.x
civicrm / civicrm	3.0.4	3.0.4.x
civicrm / civicrm	4.1.3	4.1.3.x
civicrm / civicrm	3.1.5	3.1.5.x
civicrm / civicrm	3.3.6	3.3.6.x
civicrm / civicrm	2.0.1	2.0.1.x
civicrm / civicrm	3.2.5	3.2.5.x
civicrm / civicrm	2.0.0	2.0.0.x
civicrm / civicrm	4.3.3	4.3.3.x
civicrm / civicrm	4.1.5	4.1.5.x
civicrm / civicrm	3.2.2	3.2.2.x
civicrm / civicrm	3.1.2	3.1.2.x
civicrm / civicrm	3.2.0	3.2.0.x
civicrm / civicrm	2.0.6	2.0.6.x
civicrm / civicrm	4.2.9	4.2.9.x
civicrm / civicrm	2.2.2	2.2.2.x
civicrm / civicrm	2.0.5	2.0.5.x
civicrm / civicrm	2.2.7	2.2.7.x
civicrm / civicrm	2.2.1	2.2.1.x

Vulnerability Database

314,615

CVE-2013-4661

Deep Security Visibility Without the Complexity