Security Risk: 
Less Critical
Information Disclosure
Affected Versions: 
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions: 
  • 4.7.21
  • 4.6.29
Publication Date: 
Wednesday, July 5, 2017

The pingback system is an optional mechanism which reports statistical data to The pingback URL specified an unencrypted protocol (HTTP), and well-positioned eavesdropper could potentially intercept statistical data. The pingback URL should specify an encrypted protocol (HTTPS) to prevent eavesdropping.


Upgrade to the latest version of CiviCRM

If you cannot upgrade you should apply either of the following patches:


Thanks to Nicolas Ganivent of CiviDesk for reporting the issue

Seamus Lee of Australian Greens for fixing