Security Risk: 
Moderately Critical
Vulnerability: 
Other
Affected Versions: 

CiviCRM versions 5.11.x and earlier

Fixed Versions: 

CiviCRM version 5.12.0 and 5.7.6

Publication Date: 
Wednesday, May 15, 2019
Description: 

CiviCRM includes the PHPWord library. PHPWord v0.14 is vulnerable to an XML external entity attack - which is resolved in v0.15.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Jianingwang of Tencent‘s XuanWuLab for reporting the issue

Seamus Lee of Australian Greens for fixing the issue

References: 

security/core#24