CIVI-SA-2015-010: Version information disclosure

Published

2015-11-02 12:56

Written by

colemanw

The CiviCRM footer may have been displayed to users without "access CiviCRM" permission under certain conditions. The footer shows limited version information and upgrade notifications, which could be used by an attacker to identify vulnerabilities based on whether the installed version is up-to-date.

Security Risk

Less Critical

Vulnerability

Information Disclosure

Affected Versions

4.4, 4.5, 4.6

Fixed Versions

4.4.20, 4.6.10

Solutions

Upgrade to the latest version of CiviCRM, which ensures the footer will never be shown to users without "access CiviCRM" permission.

4.4.20 or 4.6.10

Credits

Reported by John Kingsnorth and Alex Corr

Fixed by Coleman Watts

4.4 backport by Eileen McNaughton

References

Fix for 4.6: https://github.com/civicrm/civicrm-core/pull/7101

Fix for 4.4: https://github.com/civicrm/civicrm-core/pull/7102

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2015-010: Version information disclosure

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2015-010: Version information disclosure

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM