Security Risk: 
Critical
Vulnerability: 
Arbitrary PHP Code Execution
Affected Versions: 
  • CiviCRM before 5.19.2 and before 5.13.7
Fixed Versions: 
  • CiviCRM 5.19.2 and 5.13.7
Publication Date: 
Wednesday, November 20, 2019
Description: 

Both the "SavedSearch" and "ReportInstance" APIs accept certain inputs using "serialized" PHP notation. Accepting untrusted values in this notation leads to a "PHP Object Injection" (POI) vulnerability - which can potentially escalate to an "Arbitary Code Execution" vulnerability.

The APIs now accept a restricted subset of "serialized" notation - the APIs will only accept basic data (arrays, strings, numbers, etc). This prohibits PHP object construction and retains backward compatibility with typical API inputs.

Solutions: 

Upgrade to the latest version of CiviCRM

Credits: 

Patrick Figel of Greenpeace CEE for reporting the issue

Seamus Lee of Australian Greens, Patrick Figel of Greenpeace CEE and Tim Otten of CiviCRM for fixing the issue

References: 

security/core#46