Security Risk: 
Moderately Critical
Vulnerability: 
Arbitrary PHP Code Execution
Information Disclosure
Other
Affected Versions: 
  • CiviCRM before 4.6.11
Fixed Versions: 
  • CiviCRM 4.6.11 and later
Publication Date: 
Tuesday, February 2, 2016
Description: 

The 4.6.11 release of CiviCRM addresses multiple vulnerabilities in DOMPDF, a library used within CiviCRM to generate PDFs.

For more information, see the DOMPDF release notes for DOMPDF v0.6.2

Solutions: 
Credits: 

This issue was reported by Neil Drumm of the Drupal Security Team. The fix was co-ordinated by Tim Otten of CiviCRM, and Chris Burgess of Fuzion Aotearoa.

randomness