- CiviCRM 4.6.10 and below
- CiviCRM 4.6.11
The 4.6.11 release of CiviCRM addresses an issue whereby directly accessing certain CiviCRM files could reveal the full path of the active CiviCRM installation.
This is Full Path Disclosure and while not directly exploitable, in combination with other attacks it may weaken the security of an installation.
For more information on this type of vulnerability, see OWASP's page on Full Path Disclosure.
- Upgrade to CiviCRM 4.6.11 or later, OR
- Apply patch from CRM-17177: https://github.com/civicrm/civicrm-core/pull/7156