Both the "SavedSearch" and "ReportInstance" APIs accept certain inputs using "serialized" PHP notation. Accepting untrusted values in this notation leads to a "PHP Object Injection" (POI) vulnerability - which can potentially escalate to an "Arbitary Code Execution" vulnerability.
The APIs now accept a restricted subset of "serialized" notation - the APIs will only accept basic data (arrays, strings, numbers, etc). This prohibits PHP object construction and retains backward compatibility with typical API inputs.
- CiviCRM before 5.19.2 and before 5.13.7
- CiviCRM 5.19.2 and 5.13.7
Upgrade to the latest version of CiviCRM
Patrick Figel of Greenpeace CEE for reporting the issue
Seamus Lee of Australian Greens, Patrick Figel of Greenpeace CEE and Tim Otten of CiviCRM for fixing the issue