CIVI-SA-2016-09: Risk of information disclosure in packaged library

Published
2016-06-01 14:13
Written by

A potential for information disclosure was identified in a packaged library, HTML TreeBuilder.

CiviCRM now patches the TreeBuilder library to direct debug output to the CiviCRM debug log, rather than to screen.

Security Risk
Less Critical
Vulnerability
Information Disclosure
Affected Versions

CiviCRM versions prior to 4.7.8 or 4.6.17

Fixed Versions

CiviCRM versions 4.7.8 or greater, or 4.6.17 or greater.

Solutions
Credits

Thanks to Hewlett Packard for reporting the issue, and to Tim Otten for the fix.

References

CRM-16898

CVE
CIVI-SA-2016-09