Security Risk: 
Not Critical
Vulnerability: 
Other
Affected Versions: 

CiviCRM v4.5.0 - v4.5.6

CiviCRM v4.4.0 - v4.4.12

CiviCRM v4.3.0 - v4.3.10

CiviCRM v4.2.0 - v4.2.19

Fixed Versions: 

CiviCRM v4.5.7+, v4.4.13+, v4.3.11+, and v4.2.20+

 

Publication Date: 
Wednesday, March 4, 2015
Description: 

The Smarty templating engine includes a defect in which a specially named Smarty template could be used to execute PHP code.

An exploit of this vulnerability in CiviCRM has not been identified. Exploiting it requires that an attacker have permission to set the name and content of a template file; in CiviCRM deployments, this permission is generally only available to system administrators. Never-the-less, it could potentially be combined with other vulnerabilities, and we're issuing a patch as a precaution.

Solutions: 

Any ONE of the following:

Credits: 
  • jonieske
  • Uwe Tews
  • Chris Burgess (Fuzion)
CVE: 
CVE-2011-1028