CIVI-SA-2023-07: Smarty Math RCE

Publicado
2023-09-06 12:00
Written by

Template authors can perform remote code execution (RCE) with a specially crafted call to the {math} function.

(This issue was identified as part of a general audit of Smarty v2, CIVI-PSA-2023-01.)

Security Risk
Highly Critical
Vulnerability
Arbitrary PHP Code Execution
Affected Versions

CiviCRM version 5.64.3 and earlier

Fixed Versions

CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)

Publication Date
Solutions

Any ONE of the following:

  • Upgrade to the fixed version of CiviCRM
  • Manually update the file function.math.php with a newer version from Smarty v3.1.42+.
Credits

Tim Otten of CiviCRM.
Seamus Lee of JMA Consulting/CiviCRM.
Coleman Watts of CiviCRM.