GHSA-x5g4-crxq-qxjx

Suggest an improvement
Source
https://github.com/advisories/GHSA-x5g4-crxq-qxjx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x5g4-crxq-qxjx/GHSA-x5g4-crxq-qxjx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x5g4-crxq-qxjx
Aliases
Published
2022-05-13T01:42:03Z
Modified
2024-04-25T23:43:34.816106Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Contao Core directory traversal vulnerability
Details

A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.

References

Affected packages

Packagist / contao/contao

Package

Name
contao/contao
Purl
pkg:composer/contao/contao

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.4.1

Packagist / contao/core-bundle

Package

Name
contao/core-bundle
Purl
pkg:composer/contao/core-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.4.1

Affected versions

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1.0-beta1
4.1.0-RC1
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0-beta1
4.2.0-RC1
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.3.0-RC1
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.3.9
4.3.10
4.3.11
4.4.0-beta1
4.4.0-RC1
4.4.0-RC2
4.4.0

Packagist / contao/core

Package

Name
contao/core
Purl
pkg:composer/contao/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.5.28

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.1.beta1
3.1.RC1
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.2.beta1
3.2.beta2
3.2.RC1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12
3.2.13
3.2.14
3.2.15
3.2.16
3.2.17
3.2.18
3.2.19
3.2.20
3.2.21
3.3.0-beta1
3.3.0-RC1
3.3.0-RC2
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.4.0-beta1
3.4.0-RC1
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.5.0-beta1
3.5.0-RC1
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12
3.5.13
3.5.14
3.5.15
3.5.16
3.5.17
3.5.18
3.5.19
3.5.20
3.5.21
3.5.22
3.5.23
3.5.24
3.5.25
3.5.26
3.5.27