Security Risk: 
Not Critical
Affected Versions: 
  • CiviCRM 4.6.10 and below
Fixed Versions: 
  • CiviCRM 4.6.11
Publication Date: 
Wednesday, February 3, 2016

The 4.6.11 release of CiviCRM addresses an issue whereby directly accessing certain CiviCRM files could reveal the full path of the active CiviCRM installation.

This is Full Path Disclosure and while not directly exploitable, in combination with other attacks it may weaken the security of an installation.

For more information on this type of vulnerability, see OWASP's page on Full Path Disclosure.


This issue was responsibly disclosed to CiviCRM by the Hewlett-Packard Fortify Open Review Project. For more information about the Fortify Open Review project, visit

This issue was resolved by Chris Burgess of Fuzion Aotearoa.