Backend users may be able to upload and execute a maliciously crafted "PHAR" file.
The "PharExtensionInterceptor" library from Typo3 addresses this problem. Many projects - including the current Drupal and Joomla releases - already activate this protection and are already secure. However, some environments - such as WordPress - do not have it. This update extends the protection to all CiviCRM-supported environments.
CiviCRM version 5.24.2 and earlier
CiviCRM version 5.24.3 and 5.21.3
Upgrade to the latest version of CIviCRM
Patrick Figel (Greenpeace CEE), Dennis Brinkrolf (RIPS Technologies) , and Seamus Lee (JMA Consulting/CiviCRM) for reporting the issue
Patrick Figel (Greenpeace CEE), Seamus Lee (JMA Consulting/CiviCRM), Kevin Cristiano (Tadpole Collective), Tim Otten (CiviCRM), and Rich Lott (Artful Robot) for resolving the issue