{"id":"CVE-2020-36388","details":"In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.","aliases":["BIT-civicrm-2020-36388"],"modified":"2026-03-14T10:29:50.897710Z","published":"2021-06-17T19:15:07.793Z","references":[{"type":"ADVISORY","url":"https://civicrm.org/advisory/civi-sa-2020-03"},{"type":"EVIDENCE","url":"https://blog.sonarsource.com/civicrm-code-execution-vulnerability-chain-explained/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/civicrm/civicrm-core","events":[{"introduced":"40ba1acf222eed63bad93a26f7adf0d0e726bed7"},{"fixed":"8ed0126c83cfdeb1994dc99c40deda1c23701bab"}],"database_specific":{"versions":[{"introduced":"5.22.0"},{"fixed":"5.24.3"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36388.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"5.21.3"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}