GHSA-7m47-r75r-cx8v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7m47-r75r-cx8v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-7m47-r75r-cx8v/GHSA-7m47-r75r-cx8v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7m47-r75r-cx8v
- Aliases
- Published
- 2025-08-28T14:40:45Z
- Modified
- 2025-08-28T19:41:09.821715Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Contao applies improper access control in the back end voters
- Details
-
Impact
The table access voter in the back end doesn't check if a user is allowed to access the corresponding module.
Patches
Update to Contao 5.3.38 or 5.6.1.
Workarounds
Do not rely solely on the voter and additionally check
USER_CAN_ACCESS_MODULE.For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-08-28T14:40:45Z", "nvd_published_at": "2025-08-28T17:15:36Z", "cwe_ids": [ "CWE-284" ], "severity": "MODERATE" }- References
-
- https://github.com/contao/contao/security/advisories/GHSA-7m47-r75r-cx8v
- https://nvd.nist.gov/vuln/detail/CVE-2025-57758
- https://github.com/contao/contao/commit/3f05c603e1c94d34819f837f060df5d66447d0d7
- https://contao.org/en/security-advisories/improper-access-control-in-the-back-end-voters
- https://github.com/contao/contao
Affected packages
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle
Affected versions
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.1.0-RC1
5.1.0-RC2
5.1.0-RC3
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.2.0-RC1
5.2.0-RC2
5.2.0-RC3
5.2.0-RC4
5.2.0-RC5
5.2.0-RC6
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.3.0-RC1
5.3.0-RC2
5.3.0-RC3
5.3.0-RC4
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
5.3.14
5.3.15
5.3.16
5.3.17
5.3.18
5.3.19
5.3.20
5.3.21
5.3.22
5.3.23
5.3.24
5.3.25
5.3.26
5.3.27
5.3.28
5.3.29
5.3.30
5.3.31
5.3.32
5.3.33
5.3.34
5.3.35
5.3.36
5.3.37
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle
Affected versions
5.*
5.4.0-RC1
5.4.0-RC2
5.4.0-RC3
5.4.0-RC4
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.4.13
5.4.14
5.5.0-RC1
5.5.0-RC2
5.5.0-RC3
5.5.0-RC4
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.6.0-RC1
5.6.0-RC2
5.6.0-RC3
5.6.0
Packagist / contao/contao
Package
- Name
- contao/contao
- Purl
- pkg:composer/contao/contao
Affected versions
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.1.0-RC1
5.1.0-RC2
5.1.0-RC3
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.2.0-RC1
5.2.0-RC2
5.2.0-RC3
5.2.0-RC4
5.2.0-RC5
5.2.0-RC6
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.3.0-RC1
5.3.0-RC2
5.3.0-RC3
5.3.0-RC4
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
5.3.14
5.3.15
5.3.16
5.3.17
5.3.18
5.3.19
5.3.20
5.3.21
5.3.22
5.3.23
5.3.24
5.3.25
5.3.26
5.3.27
5.3.28
5.3.29
5.3.30
5.3.31
5.3.32
5.3.33
5.3.34
5.3.35
5.3.36
5.3.37
Packagist / contao/contao
Package
- Name
- contao/contao
- Purl
- pkg:composer/contao/contao
Affected versions
5.*
5.4.0-RC1
5.4.0-RC2
5.4.0-RC3
5.4.0-RC4
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.4.13
5.4.14
5.5.0-RC1
5.5.0-RC2
5.5.0-RC3
5.5.0-RC4
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.6.0-RC1
5.6.0-RC2
5.6.0-RC3
5.6.0