Security Risk: 
Less Critical
Vulnerability: 
Information Disclosure
Affected Versions: 

CiviCRM versions prior to 4.7.8 or 4.6.17

Fixed Versions: 

CiviCRM versions 4.7.8 or greater, or 4.6.17 or greater.

Publication Date: 
Thursday, June 2, 2016
Description: 

A potential for information disclosure was identified in a packaged library, HTML TreeBuilder.

CiviCRM now patches the TreeBuilder library to direct debug output to the CiviCRM debug log, rather than to screen.

Solutions: 
Credits: 

Thanks to Hewlett Packard for reporting the issue, and to Tim Otten for the fix.

References: 

CRM-16898

CVE: 
CIVI-SA-2016-09