CVE-2024-45398 – contao/core-bundle

Package

Manager: composer
Name: contao/core-bundle
Vulnerable Version: >=4.0.0 <4.13.49 || >=5.0.0 <5.3.15 || >=5.4.0 <5.4.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00261 pctl0.49307

Details

Contao affected by remote command execution through file upload ### Impact Back end users with access to the file manager can upload malicious files and execute them on the server. ### Patches Update to Contao 4.13.49, 5.3.15 or 5.4.3. ### Workarounds Configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory. ### References https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose). ### Credits Thanks to Jakob Steeg from usd AG for reporting this vulnerability.

Metadata

Created: 2024-09-17T14:58:35Z
Modified: 2024-09-17T22:24:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-vm6r-j788-hjh5/GHSA-vm6r-j788-hjh5.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-vm6r-j788-hjh5
Finding: F027
Auto approve: 1