Security Risk: 
Less Critical
Vulnerability: 
Information Disclosure
Affected Versions: 

4.4, 4.5, 4.6

Fixed Versions: 

4.4.20, 4.6.10

Publication Date: 
Wednesday, November 4, 2015
Description: 

The CiviCRM footer may have been displayed to users without "access CiviCRM" permission under certain conditions. The footer shows limited version information and upgrade notifications, which could be used by an attacker to identify vulnerabilities based on whether the installed version is up-to-date.

Solutions: 

Upgrade to the latest version of CiviCRM, which ensures the footer will never be shown to users without "access CiviCRM" permission.

4.4.20 or 4.6.10

Credits: 

Reported by John Kingsnorth and Alex Corr

Fixed by Coleman Watts

4.4 backport by Eileen McNaughton