A bundled library, TCPDF, had a recent security flaw patched. This vulnerability permitted a malicious user to make the PDF library perform unexpected actions, potentially permitting data disclosure. This was mitigated by the fact that only administrative users have access to the PDF generation functionality which uses TCPDF.
Up through v4.6.13 and v4.7.2
v4.6.14+ and v4.7.3+
Any ONE of the following:
- Upgrade to CiviCRM v4.6.14+ or v4.7.3+ (recommended)
- Apply the patch from https://github.com/civicrm/civicrm-packages/pull/143
- Manually update the bundled TCPDF in CiviCRM
- Secure TCPDF as documented in http://labs.detectify.com/post/114572572966/stealing-files-from-web-servers-by-exploiting-a
- Dmitry Smirnov (RAID6.com.au)
- Chris Burgess (Fuzion)