GHSA-wxxw-5gq6-j2g5

Suggest an improvement
Source
https://github.com/advisories/GHSA-wxxw-5gq6-j2g5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-wxxw-5gq6-j2g5/GHSA-wxxw-5gq6-j2g5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wxxw-5gq6-j2g5
Published
2024-05-15T18:31:02Z
Modified
2024-11-29T05:35:05.118832Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
contao/core Insufficient input validation allows for code injection and remote execution
Details

contao/core versions 2.x prior to 2.11.17 and 3.x prior to 3.2.9 are vulnerable to arbitrary code execution on the server due to insufficient input validation. In fact, attackers can remove or change pathconfig.php by entering a URL, meaning that the entire Contao installation will no longer be accessible or malicious code can be executed.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T18:31:02Z"
}
References

Affected packages

Packagist / contao/core

Package

Name
contao/core
Purl
pkg:composer/contao/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.11.17

Affected versions

2.*

2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.8.RC1
2.8.RC2
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.9.RC1
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.10.beta1
2.10.RC1
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.11.RC1
2.11.RC2
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.7
2.11.8
2.11.9
2.11.10
2.11.11
2.11.12
2.11.13
2.11.14
2.11.15
2.11.16

Packagist / contao/core

Package

Name
contao/core
Purl
pkg:composer/contao/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.2.9

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.1.beta1
3.1.RC1
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.2.beta1
3.2.beta2
3.2.RC1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8