Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI2bXYtcHBqYy00aGdy

PHP file inclusion via insert tags

Impact

It is possible for untrusted users to load arbitrary PHP files via insert tags.

Installations are only affected if there are untrusted back end users.

Patches

Update to Contao 4.4.56, 4.9.18 or 4.11.7.

Workarounds

Disable the login for untrusted back end users.

References

https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

Permalink: https://github.com/advisories/GHSA-r6mv-ppjc-4hgr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI2bXYtcHBqYy00aGdy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 4 days ago

CVSS Score: 6.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Identifiers: GHSA-r6mv-ppjc-4hgr, CVE-2021-37626
References:

Repository: https://github.com/contao/contao
Blast Radius: 22.0

Affected Packages

packagist:contao/contao

Dependent packages: 8
Dependent repositories: 7
Downloads: 13,115 total
Affected Version Ranges: >= 4.10.0, < 4.11.7, >= 4.5.0, < 4.9.18, >= 4.0.0, < 4.4.56
Fixed in: 4.11.7, 4.9.18, 4.4.56
All affected versions: 4.4.22, 4.4.23, 4.4.24, 4.4.25, 4.4.26, 4.4.27, 4.4.28, 4.4.29, 4.4.30, 4.4.31, 4.4.32, 4.4.33, 4.4.34, 4.4.35, 4.4.36, 4.4.37, 4.4.38, 4.4.39, 4.4.40, 4.4.41, 4.4.42, 4.4.43, 4.4.44, 4.4.45, 4.4.46, 4.4.47, 4.4.48, 4.4.49, 4.4.50, 4.4.51, 4.4.52, 4.4.53, 4.4.54, 4.4.55, 4.5.13, 4.5.14, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.6.10, 4.6.11, 4.6.12, 4.6.13, 4.6.14, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.8.6, 4.8.7, 4.8.8, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.9.9, 4.9.10, 4.9.11, 4.9.12, 4.9.13, 4.9.14, 4.9.15, 4.9.16, 4.9.17, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6
All unaffected versions: 4.4.56, 4.4.57, 4.9.18, 4.9.19, 4.9.20, 4.9.21, 4.9.22, 4.9.23, 4.9.24, 4.9.25, 4.9.26, 4.9.27, 4.9.28, 4.9.29, 4.9.30, 4.9.31, 4.9.32, 4.9.33, 4.9.34, 4.9.35, 4.9.36, 4.9.37, 4.9.38, 4.9.39, 4.9.40, 4.9.41, 4.9.42, 4.11.7, 4.11.8, 4.11.9, 4.12.0, 4.12.1, 4.12.2, 4.12.3, 4.12.4, 4.12.5, 4.12.6, 4.12.7, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.13.4, 4.13.5, 4.13.6, 4.13.7, 4.13.8, 4.13.9, 4.13.10, 4.13.11, 4.13.12, 4.13.13, 4.13.14, 4.13.15, 4.13.16, 4.13.17, 4.13.18, 4.13.19, 4.13.20, 4.13.21, 4.13.22, 4.13.23, 4.13.24, 4.13.25, 4.13.26, 4.13.27, 4.13.28, 4.13.29, 4.13.30, 4.13.31, 4.13.32, 4.13.33, 4.13.34, 4.13.35, 4.13.36, 4.13.37, 4.13.38, 4.13.39, 4.13.40, 4.13.41, 4.13.42, 4.13.43, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 5.1.11, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7

packagist:contao/core-bundle

Dependent packages: 1,879
Dependent repositories: 1,932
Downloads: 1,124,668 total
Affected Version Ranges: >= 4.10.0, < 4.11.7, >= 4.5.0, < 4.9.18, >= 4.0.0, < 4.4.56
Fixed in: 4.11.7, 4.9.18, 4.4.56
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 4.4.13, 4.4.14, 4.4.15, 4.4.16, 4.4.17, 4.4.18, 4.4.19, 4.4.20, 4.4.21, 4.4.22, 4.4.23, 4.4.24, 4.4.25, 4.4.26, 4.4.27, 4.4.28, 4.4.29, 4.4.30, 4.4.31, 4.4.32, 4.4.33, 4.4.34, 4.4.35, 4.4.36, 4.4.37, 4.4.38, 4.4.39, 4.4.40, 4.4.41, 4.4.42, 4.4.43, 4.4.44, 4.4.45, 4.4.46, 4.4.47, 4.4.48, 4.4.49, 4.4.50, 4.4.51, 4.4.52, 4.4.53, 4.4.54, 4.4.55, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.5.9, 4.5.10, 4.5.11, 4.5.12, 4.5.13, 4.5.14, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.6.10, 4.6.11, 4.6.12, 4.6.13, 4.6.14, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.8.6, 4.8.7, 4.8.8, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.9.9, 4.9.10, 4.9.11, 4.9.12, 4.9.13, 4.9.14, 4.9.15, 4.9.16, 4.9.17, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6
All unaffected versions: 4.4.56, 4.4.57, 4.9.18, 4.9.19, 4.9.20, 4.9.21, 4.9.22, 4.9.23, 4.9.24, 4.9.25, 4.9.26, 4.9.27, 4.9.28, 4.9.29, 4.9.30, 4.9.31, 4.9.32, 4.9.33, 4.9.34, 4.9.35, 4.9.36, 4.9.37, 4.9.38, 4.9.39, 4.9.40, 4.9.41, 4.9.42, 4.11.7, 4.11.8, 4.11.9, 4.12.0, 4.12.1, 4.12.2, 4.12.3, 4.12.4, 4.12.5, 4.12.6, 4.12.7, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.13.4, 4.13.5, 4.13.6, 4.13.7, 4.13.8, 4.13.9, 4.13.10, 4.13.11, 4.13.12, 4.13.13, 4.13.14, 4.13.15, 4.13.16, 4.13.17, 4.13.18, 4.13.19, 4.13.20, 4.13.21, 4.13.22, 4.13.23, 4.13.24, 4.13.25, 4.13.26, 4.13.27, 4.13.28, 4.13.29, 4.13.30, 4.13.31, 4.13.32, 4.13.33, 4.13.34, 4.13.35, 4.13.36, 4.13.37, 4.13.38, 4.13.39, 4.13.40, 4.13.41, 4.13.42, 4.13.43, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 5.1.11, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7