CIVI-SA-2016-03: Multiple vulnerabilties in DOMPDF

Published

2016-02-02 02:12

Written by

The 4.6.11 release of CiviCRM addresses multiple vulnerabilities in DOMPDF, a library used within CiviCRM to generate PDFs.

For more information, see the DOMPDF release notes for DOMPDF v0.6.2

Security Risk

Moderately Critical

Vulnerability

Arbitrary PHP Code Execution

Information Disclosure

Other

Affected Versions

CiviCRM before 4.6.11

Fixed Versions

CiviCRM 4.6.11 and later

Solutions

Upgrade to CiviCRM 4.6.11 or later, OR
Apply patches from CRM-17733:
- For 4.4, https://github.com/civicrm/civicrm-packages/pull/136
- For 4.6+, https://github.com/civicrm/civicrm-core/pull/7478

Credits

This issue was reported by Neil Drumm of the Drupal Security Team. The fix was co-ordinated by Tim Otten of CiviCRM, and Chris Burgess of Fuzion Aotearoa.

References

https://github.com/dompdf/dompdf/releases/tag/v0.6.2

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2016-03: Multiple vulnerabilties in DOMPDF

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2016-03: Multiple vulnerabilties in DOMPDF

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM