CIVI-SA-2023-01: Help Subsystem RCE

Published
2023-01-04 12:00
Written by

The "Help" subsystem did not sufficiently validate the location/origin of its source files. If combined with a web-based upload tool, this could allow a user to execute arbitrary code.

With CiviCRM's standard upload tools, exploiting this vulnerability requires permission "administer CiviCRM". However, other upload tools (such as CMS plugins) could provide other attack vectors.

Security Risk
Critical
Vulnerability
Arbitrary PHP Code Execution
Affected Versions

CiviCRM version 5.56.1 (and earlier), 5.51.3 (and earlier)

Fixed Versions

CiviCRM version 5.57.0, 5.56.2, 5.51.4 (ESR)

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Eileen McNaughton and Rich Lott identified the issue. Rich Lott wrote the primary patch. Seamus Lee and Tim Otten contributed feedback, revisions, and backports.

References

security/core#120