CIVI-SA-2013-008 - Use SSL to retrieve information from

2013-07-07 16:08
Written by

CiviCRM v3.3 introduced the extensions directory which retrieves extension listings and extension code via HTTP, and v4.3 introduced a new dashboard feed which displays news and updates retrieved from Before v4.3.5 these were retrieved over an unencrypted channel, which raises the possibility of an attacker injecting malicious code via a "man in the middle" (MITM) attack.

In version v4.3.5+, this data will be retrieved over SSL, which will reduce the potential for malicious content injection.

Note: This vulnerability can only be exploited by an attacker who is positioned to actively manipulate Internet traffic as it passes between one's web-server and

Security Risk
Not Critical
Affected Versions

CiviCRM v3.3 - v4.3.4


Fixed Versions

CiviCRM v4.3.5


Any ONE of the following solutions will provide protection:

  • Upgrade to CiviCRM v4.3.5+.
  • (For sites running CiviCRM v4.2.x) Disable download of new extensions. (Note: The other vulnerabilities in this advisory do not apply to CiviCRM v4.2.x.)
  • (For sites running CiviCRM v4.1.x or earlier) Refrain from downloading extensions through the web interface. (Note: The other vulnerabilities in this advisory do not apply to CiviCRM v4.1.x or earlier.)
  • Jamie McClelland (Progressive Technology Project)
  • Tim Otten (CiviCRM LLC)
  • Coleman Watts (CiviCRM LLC)