Back end users can list files outside their file mounts or the document root in the FileSelector widget.
Update to Contao 4.13.49.
None.
https://contao.org/en/security-advisories/directory-traversal-in-the-fileselector-widget
If you have any questions or comments about this advisory, open an issue in contao/contao.
Thanks to Jakob Steeg from usd AG for reporting this vulnerability.