The "Help" subsystem did not sufficiently validate the location/origin of its source files. If combined with a web-based upload tool, this could allow a user to execute arbitrary code.
With CiviCRM's standard upload tools, exploiting this vulnerability requires permission "administer CiviCRM". However, other upload tools (such as CMS plugins) could provide other attack vectors.
CiviCRM version 5.56.1 (and earlier), 5.51.3 (and earlier)
CiviCRM version 5.57.0, 5.56.2, 5.51.4 (ESR)
Upgrade to the latest version of CiviCRM
Eileen McNaughton and Rich Lott identified the issue. Rich Lott wrote the primary patch. Seamus Lee and Tim Otten contributed feedback, revisions, and backports.
security/core#120