The "dompdf" library has a vulnerability which allows remote code execution. It may be exploited by some backend users.
5.48.beta, 5.47.3, 5.45.4
5.48.0, 5.47.4, and 5.45.5 ESR
Upgrade to CiviCRM v5.48.0, v5.47.4, or 5.45.5 ESR
Alternatively, if you cannot upgrade CiviCRM, then any ONE of the following will also resolve the security issue:
-
Put firm restrictions on dompdf. Edit
civicrm.settings.php
and override this option:// TEMPORARY OVERRIDE: This site has an insecure version of dompdf (<1.2.1), so some features // are temporarily disabled. You may remove this after upgrading (dompdf 1.2.1+; Civi 5.47.4+). $civicrm_setting['domain']['dompdf_enable_remote'] = FALSE;
NOTE: This prevents any users from running vulnerable code. However, it also limits the ability to generate PDFs. For example, if you generate invoice PDFs with an image or logo, the images will not appear.
-
Manually upgrade dompdf to v1.2.1+ (for Drupal 8/9 projects). In your site-root, download the secure version:
composer require 'dompdf/dompdf:1.2.1 as 1.0.3'
NOTE: This is useful as a short-term override. In the future, when you have a chance to update CiviCRM, you will need to edit
composer.json
and remove this override.
If you apply an alternative solution, the application will still display a message that encourages upgrading, but it will be secure against the dompdf vulnerability.
Maximilian Kirchmeier and Fabian Bräunlein (Positive Security) for identifying and documenting the vulnerability.
Brian Sweeney (dompdf) for developing the fix.
CiviCRM Security Team and Luke Stewart (Fuzion) for porting and QA on CiviCRM.