GHSA-wjx8-cgrm-hh8p

Source

https://github.com/advisories/GHSA-wjx8-cgrm-hh8p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-wjx8-cgrm-hh8p/GHSA-wjx8-cgrm-hh8p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wjx8-cgrm-hh8p

Aliases

CVE-2019-19745

Published

2019-12-17T22:53:10Z

Modified

2024-04-22T19:01:17.269161Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Unrestricted file uploads in Contao

Details

Impact

A back end user with access to the form generator can upload arbitrary files and execute them on the server.

Patches

Update to Contao 4.4.46 or 4.8.6.

Workarounds

Configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory.

References

https://contao.org/en/security-advisories/unrestricted-file-uploads

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

Database specific

{
    "nvd_published_at": "2019-12-17T15:15:25Z",
    "cwe_ids": [
        "CWE-434"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2019-12-17T19:42:31Z"
}

References

Affected packages

Packagist / contao/core-bundle

Package

Name: contao/core-bundle
Purl: pkg:composer/contao/core-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.4.46

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0-beta1

4.1.0-RC1

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0-beta1

4.2.0-RC1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.3.0-RC1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.3.9

4.3.10

4.3.11

4.4.0-beta1

4.4.0-RC1

4.4.0-RC2

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.4.10

4.4.11

4.4.12

4.4.13

4.4.14

4.4.15

4.4.16

4.4.17

4.4.18

4.4.19

4.4.20

4.4.21

4.4.22

4.4.23

4.4.24

4.4.25

4.4.26

4.4.27

4.4.28

4.4.29

4.4.30

4.4.31

4.4.32

4.4.33

4.4.34

4.4.35

4.4.36

4.4.37

4.4.38

4.4.39

4.4.40

4.4.41

4.4.42

4.4.43

4.4.44

4.4.45

Packagist / contao/core-bundle

Package

Name: contao/core-bundle
Purl: pkg:composer/contao/core-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.5.0

Fixed

4.8.6

Affected versions

4.*

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.12

4.5.13

4.5.14

4.6.0-RC1

4.6.0-RC2

4.6.0-RC3

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.7.0-RC1

4.7.0-RC2

4.7.0-RC3

4.7.0-RC4

4.7.0

4.7.1

4.7.2

4.7.3

4.7.4

4.7.5

4.7.6

4.7.7

4.8.0-RC1

4.8.0-RC2

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

Packagist / contao/contao

Package

Name: contao/contao
Purl: pkg:composer/contao/contao

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.4.46

Affected versions

4.*

4.4.22

4.4.23

4.4.24

4.4.25

4.4.26

4.4.27

4.4.28

4.4.29

4.4.30

4.4.31

4.4.32

4.4.33

4.4.34

4.4.35

4.4.36

4.4.37

4.4.38

4.4.39

4.4.40

4.4.41

4.4.42

4.4.43

4.4.44

4.4.45

Packagist / contao/contao

Package

Name: contao/contao
Purl: pkg:composer/contao/contao

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.5.0

Fixed

4.8.6

Affected versions

4.*

4.5.13

4.5.14

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.7.0-RC1

4.7.0-RC2

4.7.0-RC3

4.7.0-RC4

4.7.0

4.7.1

4.7.2

4.7.3

4.7.4

4.7.5

4.7.6

4.7.7

4.8.0-RC1

4.8.0-RC2

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5