Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13eHh3LTVncTYtajJnNc4AA8G5
contao/core Insufficient input validation allows for code injection and remote execution
contao/core versions 2.x prior to 2.11.17 and 3.x prior to 3.2.9 are vulnerable to arbitrary code execution on the server due to insufficient input validation. In fact, attackers can remove or change pathconfig.php by entering a URL, meaning that the entire Contao installation will no longer be accessible or malicious code can be executed.
Permalink: https://github.com/advisories/GHSA-wxxw-5gq6-j2g5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13eHh3LTVncTYtajJnNc4AA8G5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-wxxw-5gq6-j2g5
References:
- https://github.com/contao/core/issues/6855
- https://github.com/contao/core/commit/d45503568751a868193929ef349a49ae5e6686f0
- https://github.com/contao/core/commit/d4a14f167e0cbb2e77c7829299e5b36f55c1ebce
- https://c-c-a.org/aktuelles/news/details/eine-neue-kritische-sicherheitsluecke-in-contao-entdeckt
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/2014-04-07.yaml
- https://web.archive.org/web/20240214121817/https://contao.org/en/news/new-security-hole-found-in-contao
- https://github.com/advisories/GHSA-wxxw-5gq6-j2g5
Blast Radius: 25.1
Affected Packages
packagist:contao/core
Dependent packages: 943Dependent repositories: 566
Downloads: 49,788 total
Affected Version Ranges: >= 3.0.0, < 3.2.9, >= 2.0.0, < 2.11.17
Fixed in: 3.2.9, 2.11.17
All affected versions: 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.7, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.11.13, 2.11.14, 2.11.15, 2.11.16, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8
All unaffected versions: 2.11.17, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.5.11, 3.5.12, 3.5.13, 3.5.14, 3.5.15, 3.5.16, 3.5.17, 3.5.18, 3.5.19, 3.5.20, 3.5.21, 3.5.22, 3.5.23, 3.5.24, 3.5.25, 3.5.26, 3.5.27, 3.5.28, 3.5.29, 3.5.30, 3.5.31, 3.5.32, 3.5.33, 3.5.34, 3.5.35, 3.5.36, 3.5.37, 3.5.38, 3.5.39, 3.5.40