CIVI-SA-2023-07: Smarty Math RCE

Published

2023-09-06 12:00

Written by

dev-team

Template authors can perform remote code execution (RCE) with a specially crafted call to the {math} function.

(This issue was identified as part of a general audit of Smarty v2, CIVI-PSA-2023-01.)

Security Risk

Highly Critical

Vulnerability

Arbitrary PHP Code Execution

Affected Versions

CiviCRM version 5.64.3 and earlier

Fixed Versions

CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)

Publication Date

2023-09-06 - 12:00

Solutions

Any ONE of the following:

Upgrade to the fixed version of CiviCRM
Manually update the file function.math.php with a newer version from Smarty v3.1.42+.

Credits

Tim Otten of CiviCRM.
Seamus Lee of JMA Consulting/CiviCRM.
Coleman Watts of CiviCRM.

References

https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m…
https://civicrm.org/advisory/civi-psa-2023-01-smarty-v2-audit
security/core#122

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2023-07: Smarty Math RCE

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2023-07: Smarty Math RCE

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM