CIVI-SA-2018-07: Remote Code Execution in QuickForm

Published
2018-07-19 09:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

Most CiviCRM pages are generated with the HTML_QuickForm library. HTML_QuickForm has a vulnerability which enables a remote attacker to execute arbitrary PHP code. This is fixed in the latest version of CiviCRM.

Security Risk
Highly Critical
Vulnerability
Arbitrary PHP Code Execution
Affected Versions

CiviCRM versions 5.3.0 and 4.6.37 (and earlier)

Fixed Versions

CiviCRM version 5.3.1 and 4.6.38 (and later)

Solutions

Upgrade to the latest version of CiviCRM. 

Credits

Patrick Figel of Greenpeace for reporting the issue.

Eileen McNaugton of Wikimedia Foundation, Elliott Eggleston of Wikimedia Foundation, Monish Deb of JMA Consulting and Coleman Watts of the CiviCRM Core Team for fixing the issue. 

References

Lab Issue reference: security/core#5

CVE
CVE-2018-1999022