CVE-2017-10993 – contao/core-bundle

Package

Manager: composer
Name: contao/core-bundle
Vulnerable Version: >=4.0.0 <4.4.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00825 pctl0.73596

Details

Contao Core directory traversal vulnerability A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.

Metadata

Created: 2022-05-13T01:42:03Z
Modified: 2024-04-25T23:17:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x5g4-crxq-qxjx/GHSA-x5g4-crxq-qxjx.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-x5g4-crxq-qxjx
Finding: F063
Auto approve: 1