CIVI-SA-2017-01: Pingback URL Not encrypted

2017-07-05 23:00
Written by

The pingback system is an optional mechanism which reports statistical data to The pingback URL specified an unencrypted protocol (HTTP), and well-positioned eavesdropper could potentially intercept statistical data. The pingback URL should specify an encrypted protocol (HTTPS) to prevent eavesdropping.

Security Risk
Less Critical
Information Disclosure
Affected Versions
  • 4.7.20 and earlier
  • 4.6.28 and earlier
Fixed Versions
  • 4.7.21
  • 4.6.29

Upgrade to the latest version of CiviCRM

If you cannot upgrade you should apply either of the following patches:


Thanks to Nicolas Ganivent of CiviDesk for reporting the issue

Seamus Lee of Australian Greens for fixing