CIVI-SA-2019-09: XXE in PHPWord

Veröffentlicht
2019-05-15 09:00
Written by

CiviCRM includes the PHPWord library. PHPWord v0.14 is vulnerable to an XML external entity attack - which is resolved in v0.15.

Security Risk
Moderately Critical
Vulnerability
Other
Affected Versions

CiviCRM versions 5.11.x and earlier

Fixed Versions

CiviCRM version 5.12.0 and 5.7.6

Solutions

Upgrade to the latest version of CiviCRM

Credits

Jianingwang of Tencent‘s XuanWuLab for reporting the issue

Seamus Lee of Australian Greens for fixing the issue

References

security/core#24