CIVI-SA-2015-010: Version information disclosure

Publicat
2015-11-02 12:56
Written by

The CiviCRM footer may have been displayed to users without "access CiviCRM" permission under certain conditions. The footer shows limited version information and upgrade notifications, which could be used by an attacker to identify vulnerabilities based on whether the installed version is up-to-date.

Security Risk
Less Critical
Vulnerability
Information Disclosure
Affected Versions

4.4, 4.5, 4.6

Fixed Versions

4.4.20, 4.6.10

Solutions

Upgrade to the latest version of CiviCRM, which ensures the footer will never be shown to users without "access CiviCRM" permission.

4.4.20 or 4.6.10

Credits

Reported by John Kingsnorth and Alex Corr

Fixed by Coleman Watts

4.4 backport by Eileen McNaughton

References

Fix for 4.6: https://github.com/civicrm/civicrm-core/pull/7101

Fix for 4.4: https://github.com/civicrm/civicrm-core/pull/7102