Security Risk: 
Less Critical
Vulnerability: 
Information Disclosure
Affected Versions: 
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions: 
  • 4.7.21
  • 4.6.29
Publication Date: 
Wednesday, July 5, 2017
Description: 

The pingback system is an optional mechanism which reports statistical data to civicrm.org. The pingback URL specified an unencrypted protocol (HTTP), and well-positioned eavesdropper could potentially intercept statistical data. The pingback URL should specify an encrypted protocol (HTTPS) to prevent eavesdropping.

Solutions: 

Upgrade to the latest version of CiviCRM

If you cannot upgrade you should apply either of the following patches:

Credits: 

Thanks to Nicolas Ganivent of CiviDesk for reporting the issue

Seamus Lee of Australian Greens for fixing