CVE-2021-37627 – contao/core-bundle

Package

Manager: composer
Name: contao/core-bundle
Vulnerable Version: >=4.0.0 <4.4.56 || >=4.5.0 <4.9.18 || >=4.10.0 <4.11.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00485 pctl0.64371

Details

Privilege escalation via form generator ### Impact It is possible for untrusted users to gain administrator rights with the form generator. Installations are only affected if there are untrusted back end users with access to the form generator. ### Patches Update to Contao 4.4.56, 4.9.18 or 4.11.7. ### Workarounds Disable the form generator or disable the login for untrusted back end users. ### References https://contao.org/en/security-advisories/privilege-escalation-with-the-form-generator ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

Metadata

Created: 2021-08-23T19:41:22Z
Modified: 2024-04-22T18:40:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-hq5m-mqmx-fw6m/GHSA-hq5m-mqmx-fw6m.json
CWE IDs: ["CWE-269"]
Alternative ID: GHSA-hq5m-mqmx-fw6m
Finding: F159
Auto approve: 1