Published
2025-08-06 12:00
An authenticated user with permission to view file-attachments may be able to move/remove arbitrary files on the server.
Upgrade Note: This update constrains access to APIv4's File entity and the recently added option, move_file. The constraint parallels a similar constraint in APIv3's Attachment. To use the move_file option, you must invoke the API through a trusted channel (e.g. PHP-API) and set checkPermissions=>FALSE.
(If you need remote access to this functionality, please create or comment on a Gitlab issue with a proposed permission model.)
Security Risk
Moderately Critical
Vulnerability
Other
Affected Versions
CiviCRM 6.2.0 - 6.4.0 (only)
Fixed Versions
CiviCRM versions 6.4.1 and 6.5.0
Publication Date
Solutions
Any ONE of the following is sufficient:
- Upgrade to a fixed version of CiviCRM, or...
- Configure an HTTP firewall to block API requests involving the phrase
move_file.
Credits
Tim Otten (CiviCRM)
Coleman Watts (CiviCRM)
Seamus Lee (JMA Consulting)
References
security/core#142
