GHSA-wxxw-5gq6-j2g5 – contao/core

Package

Manager: composer
Name: contao/core
Vulnerable Version: >=2.0.0 <2.11.17 || >=3.0.0 <3.2.9

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

contao/core Insufficient input validation allows for code injection and remote execution contao/core versions 2.x prior to 2.11.17 and 3.x prior to 3.2.9 are vulnerable to arbitrary code execution on the server due to insufficient input validation. In fact, attackers can remove or change pathconfig.php by entering a URL, meaning that the entire Contao installation will no longer be accessible or malicious code can be executed.

Metadata

Created: 2024-05-15T18:31:02Z
Modified: 2024-05-15T18:31:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-wxxw-5gq6-j2g5/GHSA-wxxw-5gq6-j2g5.json
CWE IDs: []
Alternative ID: N/A
Finding: F184
Auto approve: 1