CiviCRM uses the Smarty template system for high-trust content (built-in template files, written by developers) and low-trust content (user-supplied templates, written by back-office users). Low-trust content is subject to sandboxing, but there were issues in how this was applied.
The issues arise at a time when the Smarty integration is transitioning. Different sites may use different Smarty versions (2.x, 3.x, 4.x, 5.x), and the exact impact varies by version. The impact is more severe on 3.x and 4.x, but all versions are impacted in some way -- allowing access to sensitive information and/or sensitive functionality.
The new updates establish a stricter and more consistent set of policies across all Smarty versions.
The new policies may be too strict for some organizations. For example, user-supplied templates are now prohibited from accessing some uncommon (but powerful) Smarty features. You may use a new programmatic API (hook_civicrm_userContentPolicy) to grant access to restricted functions.
(Addendum) You may wish to audit your user-supplied templates to determine if they conform to the latest security policy. See the User Content Audit snippet for an example.
CiviCRM version 5.74.3 and earlier
CiviCRM version 5.74.4 and 5.69.6 (ESR)
Upgrade to the fixed version of CiviCRM
Dave D; JMA Consulting - Seamus Lee; Greenpeace Central and Eastern Europe - Patrick Figel; CiviCRM - Tim Otten; Wikimedia Foundation - Eileen McNaughton
security/core#132
