CIVI-SA-2023-07: Smarty Math RCE

2023-09-06 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

Template authors can perform remote code execution (RCE) with a specially crafted call to the {math} function.

(This issue was identified as part of a general audit of Smarty v2, CIVI-PSA-2023-01.)

Security Risk
Highly Critical
Arbitrary PHP Code Execution
Affected Versions

CiviCRM version 5.64.3 and earlier

Fixed Versions

CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)

Publication Date

Any ONE of the following:

  • Upgrade to the fixed version of CiviCRM
  • Manually update the file function.math.php with a newer version from Smarty v3.1.42+.

Tim Otten of CiviCRM.
Seamus Lee of JMA Consulting/CiviCRM.
Coleman Watts of CiviCRM.