CIVI-SA-2019-21: PHP Object Injection via Saved Search and Report Instance APIs

2019-11-20 09:00
Written by

Both the "SavedSearch" and "ReportInstance" APIs accept certain inputs using "serialized" PHP notation. Accepting untrusted values in this notation leads to a "PHP Object Injection" (POI) vulnerability - which can potentially escalate to an "Arbitary Code Execution" vulnerability.

The APIs now accept a restricted subset of "serialized" notation - the APIs will only accept basic data (arrays, strings, numbers, etc). This prohibits PHP object construction and retains backward compatibility with typical API inputs.

Security Risk
Arbitrary PHP Code Execution
Affected Versions
  • CiviCRM before 5.19.2 and before 5.13.7
Fixed Versions
  • CiviCRM 5.19.2 and 5.13.7

Upgrade to the latest version of CiviCRM


Patrick Figel of Greenpeace CEE for reporting the issue

Seamus Lee of Australian Greens, Patrick Figel of Greenpeace CEE and Tim Otten of CiviCRM for fixing the issue