CVE-2020-36388

Name of the Vulnerable Software and Affected Versions CiviCRM versions 5.22.x through 5.24.x before 5.24.3 CiviCRM versions prior to 5.21.3

Description The issue in CiviCRM is related to the possibility of uploading and executing PHAR archives. Exploitation of this issue may allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.

Recommendations For CiviCRM versions prior to 5.21.3, update to version 5.21.3 or later. For CiviCRM versions 5.22.x through 5.24.x before 5.24.3, update to version 5.24.3 or later. As a temporary workaround, consider restricting the ability to upload and execute PHAR archives until a patch is available.