GHSA-x5g4-crxq-qxjx

Source

https://github.com/advisories/GHSA-x5g4-crxq-qxjx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x5g4-crxq-qxjx/GHSA-x5g4-crxq-qxjx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x5g4-crxq-qxjx

Aliases

CVE-2017-10993

Published

2022-05-13T01:42:03Z

Modified

2024-04-25T23:43:34.816106Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Contao Core directory traversal vulnerability

Details

A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.

Database specific

{
    "nvd_published_at": "2017-07-21T06:29:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T23:17:00Z"
}

References

Affected packages

Packagist / contao/contao

Package

Name: contao/contao
Purl: pkg:composer/contao/contao

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.4.1

Packagist / contao/core-bundle

Package

Name: contao/core-bundle
Purl: pkg:composer/contao/core-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.4.1

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0-beta1

4.1.0-RC1

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0-beta1

4.2.0-RC1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.3.0-RC1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.3.9

4.3.10

4.3.11

4.4.0-beta1

4.4.0-RC1

4.4.0-RC2

4.4.0

Packagist / contao/core

Package

Name: contao/core
Purl: pkg:composer/contao/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.5.28

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.1.beta1

3.1.RC1

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.2.beta1

3.2.beta2

3.2.RC1

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

3.2.11

3.2.12

3.2.13

3.2.14

3.2.15

3.2.16

3.2.17

3.2.18

3.2.19

3.2.20

3.2.21

3.3.0-beta1

3.3.0-RC1

3.3.0-RC2

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.4.0-beta1

3.4.0-RC1

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.5.0-beta1

3.5.0-RC1

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.5.11

3.5.12

3.5.13

3.5.14

3.5.15

3.5.16

3.5.17

3.5.18

3.5.19

3.5.20

3.5.21

3.5.22

3.5.23

3.5.24

3.5.25

3.5.26

3.5.27